From 870d98568601e0bbaf9c39d0378dba00e98c3e14 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Tue, 25 Jan 2022 10:38:47 -0800 Subject: [PATCH 1/7] Add ACNP copy span for multi-cluster Signed-off-by: Yang Ding --- ci/jenkins/clean-mc.sh | 148 ++ ci/jenkins/test-mc.sh | 38 +- multicluster/Makefile | 2 +- .../apis/multicluster/v1alpha1/acnpimport.go | 80 + .../v1alpha1/resourceexport_types.go | 3 + .../v1alpha1/resourceexport_webhook.go | 22 + .../v1alpha1/resourceimport_types.go | 3 + .../v1alpha1/zz_generated.deepcopy.go | 121 +- .../antrea-multicluster-leader-global.yml | 1979 ++++++++++++++++ .../antrea-multicluster-leader-namespaced.yml | 40 + .../yamls/antrea-multicluster-member.yml | 2019 +++++++++++++++++ .../cmd/multicluster-controller/controller.go | 2 + ...ulticluster.crd.antrea.io_acnpimports.yaml | 77 + ...cluster.crd.antrea.io_resourceexports.yaml | 1610 +++++++++++++ ...cluster.crd.antrea.io_resourceimports.yaml | 1610 +++++++++++++ multicluster/config/crd/kustomization.yaml | 1 + multicluster/config/rbac/role.yaml | 40 + .../controllers/multicluster/common/helper.go | 10 +- .../commonarea/remote_common_area_manager.go | 2 +- .../commonarea/resourceimport_controller.go | 189 +- .../resourceimport_controller_test.go | 388 +++- .../multicluster/resourceexport_controller.go | 53 +- .../resourceexport_controller_test.go | 63 +- .../typed/multicluster/v1alpha1/acnpimport.go | 183 ++ .../v1alpha1/fake/fake_acnpimport.go | 132 ++ .../v1alpha1/fake/fake_multicluster_client.go | 4 + .../v1alpha1/generated_expansion.go | 2 + .../v1alpha1/multicluster_client.go | 5 + .../informers/externalversions/generic.go | 2 + .../multicluster/v1alpha1/acnpimport.go | 88 + .../multicluster/v1alpha1/interface.go | 7 + .../multicluster/v1alpha1/acnpimport.go | 67 + .../v1alpha1/expansion_generated.go | 4 + pkg/apis/crd/v1alpha1/types.go | 15 +- 34 files changed, 8958 insertions(+), 51 deletions(-) create mode 100644 ci/jenkins/clean-mc.sh create mode 100644 multicluster/apis/multicluster/v1alpha1/acnpimport.go create mode 100644 multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml create mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go create mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go create mode 100644 multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go create mode 100644 multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go diff --git a/ci/jenkins/clean-mc.sh b/ci/jenkins/clean-mc.sh new file mode 100644 index 00000000000..1e07681c09d --- /dev/null +++ b/ci/jenkins/clean-mc.sh @@ -0,0 +1,148 @@ +#!/usr/bin/env bash + +# Copyright 2021 Antrea Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eo pipefail + +DEFAULT_WORKDIR="/var/lib/jenkins" +DEFAULT_KUBECONFIG_PATH=$DEFAULT_WORKDIR/kube.conf +WORKDIR=$DEFAULT_WORKDIR +TESTCASE="" +TEST_FAILURE=false +DOCKER_REGISTRY=$(head -n1 "/var/lib/jenkins/antrea/ci/docker-registry") +GO_VERSION=$(head -n1 "/var/lib/jenkins/antrea/build/images/deps/go-version") +IMAGE_PULL_POLICY="Always" +MULTICLUSTER_KUBECONFIG_PATH=$WORKDIR/.kube +LEADER_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/leader" +EAST_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/east" +WEST_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/west" + +NGINX_IMAGE=projects.registry.vmware.com/antrea/nginx:1.21.6-alpine + +CONTROL_PLANE_NODE_ROLE="control-plane,master" + +multicluster_kubeconfigs=($EAST_CLUSTER_CONFIG $LEADER_CLUSTER_CONFIG $WEST_CLUSTER_CONFIG) +membercluter_kubeconfigs=($EAST_CLUSTER_CONFIG $WEST_CLUSTER_CONFIG) + +CLEAN_STALE_IMAGES="docker system prune --force --all --filter until=48h" + +_usage="Usage: $0 [--kubeconfigs-path ] [--workdir ] + [--testcase ] + +Run Antrea multi-cluster e2e tests on a remote (Jenkins) Linux Cluster Set. + + --kubeconfigs-path Path of cluster set kubeconfigs. + --workdir Home path for Go, vSphere information and antrea_logs during cluster setup. Default is $WORKDIR. + --testcase Antrea multi-cluster e2e test cases on a Linux cluster set. + --registry The docker registry to use instead of dockerhub." + +function print_usage { + echoerr "$_usage" +} + + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + --kubeconfigs-path) + MULTICLUSTER_KUBECONFIG_PATH="$2" + shift 2 + ;; + --workdir) + WORKDIR="$2" + shift 2 + ;; + --testcase) + TESTCASE="$2" + shift 2 + ;; + --registry) + DOCKER_REGISTRY="$2" + shift 2 + ;; + -h|--help) + print_usage + exit 0 + ;; + *) # unknown option + echoerr "Unknown option $1" + exit 1 + ;; +esac +done + + +function clean_tmp() { + echo "===== Clean up stale files & folders older than 7 days under /tmp =====" + CLEAN_LIST=( + "*codecov*" + "kustomize-*" + "*antrea*" + "go-build*" + ) + for item in "${CLEAN_LIST[@]}"; do + find /tmp -name "${item}" -mtime +7 -exec rm -rf {} \; 2>&1 | grep -v "Permission denied" || true + done + find ${WORKDIR} -name "support-bundles*" -mtime +7 -exec rm -rf {} \; 2>&1 | grep -v "Permission denied" || true +} + + +function cleanup_multicluster_ns { + ns=$1 + kubeconfig=$2 + + kubectl delete ns "${ns}" --ignore-not-found=true ${kubeconfig} --timeout=30s || true +} + +function cleanup_multicluster_controller { + echo "====== Cleanup Multicluster Controller Installation ======" + kubeconfig=$1 + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/test/yamls/*.yml; do + kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true + done + + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/build/yamls/*.yml; do + kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true + done +} + +function cleanup_multicluster_antrea { + echo "====== Cleanup Antrea controller and agent ======" + kubeconfig=$1 + kubectl get pod -n kube-system -l component=antrea-agent --no-headers=true $kubeconfig | awk '{print $1}' | while read AGENTNAME; do + kubectl exec $AGENTNAME -c antrea-agent -n kube-system ${kubeconfig} ovs-vsctl del-port br-int gw0 || true + done + + for antrea_yml in ${WORKDIR}/*.yml; do + kubectl delete -f $antrea_yml --ignore-not-found=true ${kubeconfig} --timeout=30s || true + done +} + +function clean_multicluster { + echo "====== Cleanup Multicluster Antrea Installation in clusters ======" + for kubeconfig in "${multicluster_kubeconfigs[@]}" + do + cleanup_multicluster_ns "antrea-multicluster-test" $kubeconfig + cleanup_multicluster_ns "antrea-mcs-ns" $kubeconfig + cleanup_multicluster_controller $kubeconfig + cleanup_multicluster_antrea $kubeconfig + done +} + +trap clean_multicluster EXIT +clean_tmp + diff --git a/ci/jenkins/test-mc.sh b/ci/jenkins/test-mc.sh index a6eca62a516..0ed570f0db9 100755 --- a/ci/jenkins/test-mc.sh +++ b/ci/jenkins/test-mc.sh @@ -25,8 +25,8 @@ DEFAULT_KUBECONFIG_PATH=$DEFAULT_WORKDIR/kube.conf WORKDIR=$DEFAULT_WORKDIR TESTCASE="" TEST_FAILURE=false -DOCKER_REGISTRY=$(head -n1 "${WORKSPACE}/ci/docker-registry") -GO_VERSION=$(head -n1 "${WORKSPACE}/build/images/deps/go-version") +DOCKER_REGISTRY=$(head -n1 "/var/lib/jenkins/antrea/ci/docker-registry") +GO_VERSION=$(head -n1 "/var/lib/jenkins/antrea/build/images/deps/go-version") IMAGE_PULL_POLICY="Always" MULTICLUSTER_KUBECONFIG_PATH=$WORKDIR/.kube LEADER_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/leader" @@ -115,11 +115,11 @@ function cleanup_multicluster_ns { function cleanup_multicluster_controller { echo "====== Cleanup Multicluster Controller Installation ======" kubeconfig=$1 - for multicluster_yml in ${WORKSPACE}/multicluster/test/yamls/*.yml; do + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/test/yamls/*.yml; do kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true done - for multicluster_yml in ${WORKSPACE}/multicluster/build/yamls/*.yml; do + for multicluster_yml in /var/lib/jenkins/antrea/multicluster/build/yamls/*.yml; do kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true done } @@ -138,7 +138,7 @@ function cleanup_multicluster_antrea { function clean_multicluster { echo "====== Cleanup Multicluster Antrea Installation in clusters ======" - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do cleanup_multicluster_ns "antrea-multicluster-test" $kubeconfig cleanup_multicluster_ns "antrea-mcs-ns" $kubeconfig @@ -174,7 +174,7 @@ function wait_for_multicluster_controller_ready { sed -i 's/antrea-mcs-ns/kube-system/g' ./multicluster/test/yamls/leader-access-token.yml echo "type: Opaque" >>./multicluster/test/yamls/leader-access-token.yml - for config in ${membercluter_kubeconfigs[@]}; + for config in "${membercluter_kubeconfigs[@]}"; do kubectl apply -f ./multicluster/build/yamls/antrea-multicluster-member.yml ${config} kubectl rollout status deployment/antrea-mc-controller -n kube-system ${config} @@ -203,7 +203,7 @@ function deliver_antrea_multicluster { docker save -o ${WORKDIR}/antrea-ubuntu.tar $DOCKER_REGISTRY/antrea/antrea-ubuntu:latest - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true ${kubeconfig}| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/antrea-ubuntu.tar jenkins@[${IP}]:${WORKDIR}/antrea-ubuntu.tar @@ -225,7 +225,7 @@ function deliver_multicluster_controller { docker save antrea/antrea-mc-controller:latest -o "${WORKDIR}"/antrea-mcs.tar ./multicluster/hack/generate-manifest.sh -l antrea-mcs-ns >./multicluster/test/yamls/manifest.yml - for kubeconfig in ${multicluster_kubeconfigs[@]} + for kubeconfig in "${multicluster_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true "${kubeconfig}"| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/antrea-mcs.tar jenkins@[${IP}]:${WORKDIR}/antrea-mcs.tar @@ -237,7 +237,7 @@ function deliver_multicluster_controller { sed -i "s||${leader_ip}|" ./multicluster/test/yamls/east-member-cluster.yml sed -i "s||${leader_ip}|" ./multicluster/test/yamls/west-member-cluster.yml - for kubeconfig in ${membercluter_kubeconfigs[@]} + for kubeconfig in "${membercluter_kubeconfigs[@]}" do ip=$(kubectl get nodes -o wide --no-headers=true ${EAST_CLUSTER_CONFIG} | awk -v role="$CONTROL_PLANE_NODE_ROLE" '$3 == role {print $6}') rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" ./multicluster/test/yamls/test-east-serviceexport.yml jenkins@[${ip}]:${WORKDIR}/serviceexport.yml @@ -265,7 +265,7 @@ function run_multicluster_e2e { docker tag "${DOCKER_REGISTRY}/antrea/agnhost:2.26" "agnhost:2.26" docker save agnhost:2.26 -o "${WORKDIR}"/agnhost.tar - for kubeconfig in ${membercluter_kubeconfigs[@]} + for kubeconfig in "${membercluter_kubeconfigs[@]}" do kubectl get nodes -o wide --no-headers=true "${kubeconfig}"| awk '{print $6}' | while read IP; do rsync -avr --progress --inplace -e "ssh -o StrictHostKeyChecking=no" "${WORKDIR}"/nginx.tar jenkins@["${IP}"]:"${WORKDIR}"/nginx.tar @@ -277,17 +277,17 @@ function run_multicluster_e2e { done - set +e - mkdir -p `pwd`/antrea-multicluster-test-logs - go test -v antrea.io/antrea/multicluster/test/e2e --logs-export-dir `pwd`/antrea-multicluster-test-logs - if [[ "$?" != "0" ]]; then - TEST_FAILURE=true - fi - set -e +# set +e +# mkdir -p `pwd`/antrea-multicluster-test-logs +# go test -v antrea.io/antrea/multicluster/test/e2e --logs-export-dir `pwd`/antrea-multicluster-test-logs +# if [[ "$?" != "0" ]]; then +# TEST_FAILURE=true +# fi +# set -e } -trap clean_multicluster EXIT -clean_tmp +#trap clean_multicluster EXIT +#clean_tmp if [[ ${TESTCASE} =~ "e2e" ]]; then deliver_antrea_multicluster diff --git a/multicluster/Makefile b/multicluster/Makefile index a47ffb12e2e..b12a25764e6 100644 --- a/multicluster/Makefile +++ b/multicluster/Makefile @@ -1,5 +1,5 @@ # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" +CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true,preserveUnknownFields=false" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) diff --git a/multicluster/apis/multicluster/v1alpha1/acnpimport.go b/multicluster/apis/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..479455326b2 --- /dev/null +++ b/multicluster/apis/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,80 @@ +/* +Copyright 2022 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=acnpimports,scope=Cluster +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. +type ACNPImport struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + // +optional + Status ACNPImportStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ACNPImportList contains a list of ACNPImport. +type ACNPImportList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ACNPImport `json:"items"` +} + +type ACNPImportStatus struct { + // +optional + // +patchStrategy=merge + // +patchMergeKey=type + // +listType=map + // +listMapKey=type + Conditions []ACNPImportCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +type ACNPImportConditionType string + +const ( + ACNPImportRealizable ACNPImportConditionType = "Realizable" +) + +type ACNPImportCondition struct { + Type ACNPImportConditionType `json:"type"` + // Status is one of {"True", "False", "Unknown"} + // +kubebuilder:validation:Enum=True;False;Unknown + Status v1.ConditionStatus `json:"status"` + // +optional + LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` + // +optional + Reason *string `json:"reason,omitempty"` + // +optional + Message *string `json:"message,omitempty"` +} + +func init() { + SchemeBuilder.Register(&ACNPImport{}, &ACNPImportList{}) +} diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go index 6d58cfb5b79..fe0afdb9e36 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go @@ -20,6 +20,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) @@ -63,6 +64,8 @@ type ResourceExportSpec struct { Endpoints *EndpointsExport `json:"endpoints,omitempty"` // If exported resource is ExternalEntity. ExternalEntity *ExternalEntityExport `json:"externalentity,omitempty"` + // If exported resource is AntreaClusterNetworkPolicy. + ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If exported resource Kind is unknown. Raw RawResourceExport `json:"raw,omitempty"` } diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go index 132e8f5c8d1..5b78713eee6 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go @@ -21,6 +21,8 @@ import ( ctrl "sigs.k8s.io/controller-runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/webhook" + + "antrea.io/antrea/multicluster/controllers/multicluster/common" ) // log is for logging in this package. @@ -39,6 +41,26 @@ var _ webhook.Defaulter = &ResourceExport{} // Default implements webhook.Defaulter so a webhook will be registered for the type func (r *ResourceExport) Default() { resourceexportlog.Info("default", "name", r.Name) + if r.Spec.ClusterNetworkPolicy == nil { + // Only mutate ResourceExport created for ClusterNetworkPolicy resources + return + } + if len(r.Labels) == 0 { + r.Labels = map[string]string{} + } + if nameLabelVal, exists := r.Labels[common.SourceName]; !exists || nameLabelVal != r.Spec.Name { + r.Labels[common.SourceName] = r.Spec.Name + } + if namespaceLabelVal, exists := r.Labels[common.SourceNamespace]; !exists || namespaceLabelVal != "" { + r.Labels[common.SourceNamespace] = "" + } + // TODO: put sourceClusterID for leader cluster? + if kindLabelVal, exists := r.Labels[common.SourceKind]; !exists || kindLabelVal != common.AntreaClusterNetworkPolicyKind { + r.Labels[common.SourceKind] = common.AntreaClusterNetworkPolicyKind + } + if r.DeletionTimestamp.IsZero() && !common.StringExistsInSlice(r.Finalizers, common.ResourceExportFinalizer) { + r.Finalizers = []string{common.ResourceExportFinalizer} + } } //+kubebuilder:webhook:path=/validate-multicluster-crd-antrea-io-v1alpha1-resourceexport,mutating=false,failurePolicy=fail,sideEffects=None,groups=multicluster.crd.antrea.io,resources=resourceexports,verbs=create;update,versions=v1alpha1,name=vresourceexport.kb.io,admissionReviewVersions={v1,v1beta1} diff --git a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go index d2223f6895c..de0b8eb1c23 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go @@ -21,6 +21,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" mcs "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" ) @@ -57,6 +58,8 @@ type ResourceImportSpec struct { Endpoints *EndpointsImport `json:"endpoints,omitempty"` // If imported resource is ExternalEntity. ExternalEntity *ExternalEntityImport `json:"externalentity,omitempty"` + // If imported resource is AntreaClusterNetworkPolicy. + ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"` // If imported resource is ANP. // TODO: // ANP uses float64 as priority. Type float64 is discouraged by k8s, and is not supported by controller-gen tools. diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go index 822b6fbb25c..f6b81169c62 100644 --- a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go +++ b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go @@ -1,4 +1,3 @@ -//go:build !ignore_autogenerated // +build !ignore_autogenerated /* @@ -22,12 +21,122 @@ limitations under the License. package v1alpha1 import ( + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apis/crd/v1alpha2" "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImport) DeepCopyInto(out *ACNPImport) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImport. +func (in *ACNPImport) DeepCopy() *ACNPImport { + if in == nil { + return nil + } + out := new(ACNPImport) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ACNPImport) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImportCondition) DeepCopyInto(out *ACNPImportCondition) { + *out = *in + if in.LastTransitionTime != nil { + in, out := &in.LastTransitionTime, &out.LastTransitionTime + *out = (*in).DeepCopy() + } + if in.Reason != nil { + in, out := &in.Reason, &out.Reason + *out = new(string) + **out = **in + } + if in.Message != nil { + in, out := &in.Message, &out.Message + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportCondition. +func (in *ACNPImportCondition) DeepCopy() *ACNPImportCondition { + if in == nil { + return nil + } + out := new(ACNPImportCondition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImportList) DeepCopyInto(out *ACNPImportList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ACNPImport, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportList. +func (in *ACNPImportList) DeepCopy() *ACNPImportList { + if in == nil { + return nil + } + out := new(ACNPImportList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ACNPImportList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACNPImportStatus) DeepCopyInto(out *ACNPImportStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]ACNPImportCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportStatus. +func (in *ACNPImportStatus) DeepCopy() *ACNPImportStatus { + if in == nil { + return nil + } + out := new(ACNPImportStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterClaim) DeepCopyInto(out *ClusterClaim) { *out = *in @@ -651,6 +760,11 @@ func (in *ResourceExportSpec) DeepCopyInto(out *ResourceExportSpec) { *out = new(ExternalEntityExport) (*in).DeepCopyInto(*out) } + if in.ClusterNetworkPolicy != nil { + in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy + *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + (*in).DeepCopyInto(*out) + } in.Raw.DeepCopyInto(&out.Raw) } @@ -895,6 +1009,11 @@ func (in *ResourceImportSpec) DeepCopyInto(out *ResourceImportSpec) { *out = new(ExternalEntityImport) (*in).DeepCopyInto(*out) } + if in.ClusterNetworkPolicy != nil { + in, out := &in.ClusterNetworkPolicy, &out.ClusterNetworkPolicy + *out = new(crdv1alpha1.ClusterNetworkPolicySpec) + (*in).DeepCopyInto(*out) + } if in.Raw != nil { in, out := &in.Raw, &out.Raw *out = new(RawResourceImport) diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index a6e2f5af46e..7d5e726c0ba 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -1,5 +1,78 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + labels: + app: antrea + name: acnpimports.multicluster.crd.antrea.io +spec: + group: multicluster.crd.antrea.io + names: + kind: ACNPImport + listKind: ACNPImportList + plural: acnpimports + singular: acnpimport + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: Status is one of {"True", "False", "Unknown"} + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -376,6 +449,959 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: @@ -1129,6 +2155,959 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index f47189981ed..c9926188ad5 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -45,6 +45,46 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports/status + verbs: + - get + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 85ce32e4148..496a9349703 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -1,5 +1,78 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + labels: + app: antrea + name: acnpimports.multicluster.crd.antrea.io +spec: + group: multicluster.crd.antrea.io + names: + kind: ACNPImport + listKind: ACNPImportList + plural: acnpimports + singular: acnpimport + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: Status is one of {"True", "False", "Unknown"} + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -376,6 +449,959 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: @@ -1129,6 +2155,959 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: @@ -1944,6 +3923,46 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports/status + verbs: + - get + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/cmd/multicluster-controller/controller.go b/multicluster/cmd/multicluster-controller/controller.go index 8989da33e45..13fee7972c5 100644 --- a/multicluster/cmd/multicluster-controller/controller.go +++ b/multicluster/cmd/multicluster-controller/controller.go @@ -39,6 +39,7 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" multiclustercontrollers "antrea.io/antrea/multicluster/controllers/multicluster" + antreacrd "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/apiserver/certificate" // +kubebuilder:scaffold:imports ) @@ -59,6 +60,7 @@ func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(k8smcsv1alpha1.AddToScheme(scheme)) utilruntime.Must(multiclusterv1alpha1.AddToScheme(scheme)) + utilruntime.Must(antreacrd.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml new file mode 100644 index 00000000000..7821d2e745a --- /dev/null +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml @@ -0,0 +1,77 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: acnpimports.multicluster.crd.antrea.io +spec: + group: multicluster.crd.antrea.io + names: + kind: ACNPImport + listKind: ACNPImportList + plural: acnpimports + singular: acnpimport + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ACNPImport describes an ACNP imported from the leader cluster + in a ClusterSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: Status is one of {"True", "False", "Unknown"} + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index a2839dc02e6..7539481a70a 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -40,6 +40,1616 @@ spec: description: ClusterID specifies the member cluster this resource exported from. type: string + clusternetworkpolicy: + description: If exported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If exported resource is EndPoints. properties: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index a7e31350907..ef9b9827319 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -42,6 +42,1616 @@ spec: items: type: string type: array + clusternetworkpolicy: + description: If imported resource is AntreaClusterNetworkPolicy. + properties: + appliedTo: + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. + items: + description: NetworkPolicyPeer describes the grouping selector + of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: array + egress: + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. + items: + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. + properties: + action: + description: Action specifies the action to be applied on + the rule. + type: string + appliedTo: + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + enableLogging: + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. + type: boolean + from: + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + name: + description: Name describes the intention of this rule. + Name should be unique within the policy. + type: string + ports: + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. + items: + description: NetworkPolicyPort describes the port and + protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. + items: + description: NetworkPolicyPeer describes the grouping + selector of workloads. + properties: + externalEntitySelector: + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + fqdn: + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' + type: string + group: + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. + type: string + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. + properties: + cidr: + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". + type: string + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' + properties: + match: + description: NamespaceMatchType describes Namespace + matching strategy. + type: string + type: object + podSelector: + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + type: object + type: array + toServices: + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. + items: + description: ServiceReference represents a reference to + a v1.Service. + properties: + name: + description: Name of the Service + type: string + namespace: + description: Namespace of the Service + type: string + required: + - name + type: object + type: array + required: + - action + type: object + type: array + priority: + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. + type: number + tier: + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. + type: string + required: + - priority + type: object endpoints: description: If imported resource is EndPoints. properties: diff --git a/multicluster/config/crd/kustomization.yaml b/multicluster/config/crd/kustomization.yaml index 7f77de35ec8..87c307449eb 100644 --- a/multicluster/config/crd/kustomization.yaml +++ b/multicluster/config/crd/kustomization.yaml @@ -9,6 +9,7 @@ resources: - bases/multicluster.crd.antrea.io_resourceimportfilters.yaml - bases/multicluster.crd.antrea.io_resourceexports.yaml - bases/multicluster.crd.antrea.io_resourceimports.yaml +- bases/multicluster.crd.antrea.io_acnpimports.yaml - k8smcs/multicluster.x-k8s.io_serviceexports.yaml - k8smcs/multicluster.x-k8s.io_serviceimports.yaml #+kubebuilder:scaffold:crdkustomizeresource diff --git a/multicluster/config/rbac/role.yaml b/multicluster/config/rbac/role.yaml index e8831e63cce..2f69305e473 100644 --- a/multicluster/config/rbac/role.yaml +++ b/multicluster/config/rbac/role.yaml @@ -30,6 +30,46 @@ rules: - patch - update - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.crd.antrea.io + resources: + - acnpimports/status + verbs: + - get + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/controllers/multicluster/common/helper.go b/multicluster/controllers/multicluster/common/helper.go index 839421b5334..d6c861f0358 100644 --- a/multicluster/controllers/multicluster/common/helper.go +++ b/multicluster/controllers/multicluster/common/helper.go @@ -17,12 +17,14 @@ import corev1 "k8s.io/api/core/v1" const ( AntreaMCServiceAnnotation = "multicluster.antrea.io/imported-service" + AntreaMCACNPAnnotation = "multicluster.antrea.io/imported-acnp" AntreaMCClusterIDAnnotation = "multicluster.antrea.io/local-cluster-id" - AntreaMCSPrefix = "antrea-mc-" - ServiceKind = "Service" - EndpointsKind = "Endpoints" - ServiceImportKind = "ServiceImport" + AntreaMCSPrefix = "antrea-mc-" + ServiceKind = "Service" + EndpointsKind = "Endpoints" + AntreaClusterNetworkPolicyKind = "AntreaClusterNetworkPolicy" + ServiceImportKind = "ServiceImport" SourceName = "sourceName" SourceNamespace = "sourceNamespace" diff --git a/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go b/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go index e99ffa057b7..8654942cbe2 100644 --- a/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go +++ b/multicluster/controllers/multicluster/commonarea/remote_common_area_manager.go @@ -35,7 +35,7 @@ type clusterEvent struct { type RemoteCommonAreaManager interface { // Start starts RemoteCommonAreaManager on an event loop which runs in a goroutine Start() error - // Stop stop RemoteCommonAreaManager by terminating the event loop. + // Stop stops RemoteCommonAreaManager by terminating the event loop. Stop() error // AddRemoteCommonArea adds a RemoteCommonArea to RemoteCommonAreaManager. AddRemoteCommonArea(remoteCommonArea RemoteCommonArea) diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index b5952acf851..cd8ca0441b7 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -37,6 +37,7 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) const ( @@ -77,8 +78,12 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l } } +//+kubebuilder:rbac:groups=crd.antrea.io,resources=clusternetworkpolicies,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=crd.antrea.io,resources=tiers,verbs=get;list;watch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/finalizers,verbs=update //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports/status,verbs=get;update;patch @@ -129,6 +134,11 @@ func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Reque return r.handleResImpDeleteForEndpoints(ctx, &resImp) } return r.handleResImpUpdateForEndpoints(ctx, &resImp) + case common.AntreaClusterNetworkPolicyKind: + if isDeleted { + return r.handleResImpDeleteForClusterNetworkPolicy(ctx, &resImp) + } + return r.handleResImpUpdateForClusterNetworkPolicy(ctx, &resImp) } // TODO: handle for other ResImport Kinds return ctrl.Result{}, nil @@ -242,15 +252,14 @@ func (r *ResourceImportReconciler) handleResImpDeleteForService(ctx context.Cont err = r.localClusterClient.Get(ctx, svcName, svc) if err != nil { if apierrors.IsNotFound(err) { + klog.V(2).InfoS("Service corresponding to ResourceImport has already been deleted", + "service", svcName.String(), "resourceimport", klog.KObj(resImp)) return cleanupServiceImport() } return ctrl.Result{}, err } err = r.localClusterClient.Delete(ctx, svc, &client.DeleteOptions{}) if err != nil { - if apierrors.IsNotFound(err) { - return cleanupServiceImport() - } return ctrl.Result{}, err } return cleanupServiceImport() @@ -342,6 +351,129 @@ func (r *ResourceImportReconciler) handleResImpDeleteForEndpoints(ctx context.Co return ctrl.Result{}, nil } +func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpImpName := types.NamespacedName{ + Namespace: "", + Name: resImp.Spec.Name, + } + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Updating ACNP and ACNPImport corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := r.localClusterClient.Get(ctx, acnpName, acnp) + acnpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpNotFound { + return ctrl.Result{}, err + } + if !acnpNotFound { + if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; !ok { + err := errors.New("unable to import Antrea ClusterNetworkPolicy which conflicts with existing one") + klog.ErrorS(err, "", "acnp", klog.KObj(acnp)) + return ctrl.Result{}, err + } + } + acnpObj := getMCAntreaClusterPolicy(resImp) + tierKind, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier + err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierKind) + tierNotFound := apierrors.IsNotFound(err) + if acnpNotFound && !tierNotFound { + if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } else if !acnpNotFound && tierNotFound { + if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { + klog.ErrorS(err, "failed to delete imported Antrea ClusterNetworkPolicy that no longer have a valid Tier for the current cluster", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { + acnp.Spec = acnpObj.Spec + if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { + klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } + acnpImp := &multiclusterv1alpha1.ACNPImport{} + err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) + acnpImpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpImpNotFound { + klog.ErrorS(err, "failed to get existing ACNPImports") + return ctrl.Result{}, err + } + acnpImpObj := getACNPImport(resImp, tierNotFound) + if acnpImpNotFound { + err := r.localClusterClient.Create(ctx, acnpImpObj, &client.CreateOptions{}) + if err != nil { + klog.ErrorS(err, "failed to create ACNPImport", "acnpimport", klog.KObj(acnpImpObj)) + return ctrl.Result{}, err + } + r.installedResImports.Add(*resImp) + } + patchACNPImportStatus := false + if len(acnpImp.Status.Conditions) == 0 { + acnpImp.Status = acnpImpObj.Status + patchACNPImportStatus = true + } else { + if acnpImp.Status.Conditions[0].Status != acnpImpObj.Status.Conditions[0].Status { + acnpImp.Status = acnpImpObj.Status + patchACNPImportStatus = true + } + } + if patchACNPImportStatus { + if err := r.localClusterClient.Status().Update(ctx, acnpImp); err != nil { + klog.ErrorS(err, "failed to update acnpImport status", "acnpImport", klog.KObj(acnpImp)) + } + } + return ctrl.Result{}, nil +} + +func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpImpName := types.NamespacedName{ + Namespace: "", + Name: resImp.Spec.Name, + } + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Deleting ACNP and ACNPImport corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + var err error + cleanupACNPImport := func() (ctrl.Result, error) { + acnpImp := &multiclusterv1alpha1.ACNPImport{} + err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) + if err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + err = r.localClusterClient.Delete(ctx, acnpImp, &client.DeleteOptions{}) + if err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + return ctrl.Result{}, nil + } + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err = r.localClusterClient.Get(ctx, acnpName, acnp) + if err != nil { + if apierrors.IsNotFound(err) { + klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + return cleanupACNPImport() + } + return ctrl.Result{}, err + } + err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}) + if err != nil { + return ctrl.Result{}, err + } + return cleanupACNPImport() +} + func getMCService(resImp *multiclusterv1alpha1.ResourceImport) *corev1.Service { mcsPorts := []corev1.ServicePort{} for _, p := range resImp.Spec.ServiceImport.Spec.Ports { @@ -379,6 +511,57 @@ func getMCServiceImport(resImp *multiclusterv1alpha1.ResourceImport, clusterID s return svcImp } +func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { + if resImp.Spec.ClusterNetworkPolicy == nil { + return nil + } + return &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + Annotations: map[string]string{ + common.AntreaMCACNPAnnotation: "true", + }, + }, + Spec: *resImp.Spec.ClusterNetworkPolicy, + } +} + +func getACNPImport(resImp *multiclusterv1alpha1.ResourceImport, tierNotFound bool) *multiclusterv1alpha1.ACNPImport { + if resImp.Spec.ClusterNetworkPolicy == nil { + return nil + } + return &multiclusterv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: resImp.Spec.Name, + }, + Status: multiclusterv1alpha1.ACNPImportStatus{ + Conditions: []multiclusterv1alpha1.ACNPImportCondition{ + getACNPImportStatus(tierNotFound), + }, + }, + } +} + +func getACNPImportStatus(tierNotFound bool) multiclusterv1alpha1.ACNPImportCondition { + tierNotFoundReason := "TierNotFound" + tierNotFoundMessage := "ACNP Tier does not exist in the importing cluster" + time := metav1.Now() + if tierNotFound { + return multiclusterv1alpha1.ACNPImportCondition{ + Type: multiclusterv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionFalse, + LastTransitionTime: &time, + Reason: &tierNotFoundReason, + Message: &tierNotFoundMessage, + } + } + return multiclusterv1alpha1.ACNPImportCondition{ + Type: multiclusterv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + LastTransitionTime: &time, + } +} + func removeLocalSubsets(local []corev1.EndpointSubset, allSubsets []corev1.EndpointSubset) []corev1.EndpointSubset { filteredLocal := common.FilterEndpointSubsets(local) size := len(allSubsets) diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go index 3f895a2e278..140a9988e6f 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go @@ -36,13 +36,16 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( - localClusterID = "cluster-a" - leaderNamespace = "default" - svcResImportName = "default-nginx-service" - epResImportName = "default-nginx-endpoints" + localClusterID = "cluster-a" + leaderNamespace = "default" + svcResImportName = leaderNamespace + "-" + "nginx-service" + epResImportName = leaderNamespace + "-" + "nginx-endpoints" + acnpImportName = "acnp-for-isolation" + acnpResImportName = leaderNamespace + "-" + acnpImportName svcImportReq = ctrl.Request{NamespacedName: types.NamespacedName{ Namespace: leaderNamespace, @@ -52,6 +55,14 @@ var ( Namespace: leaderNamespace, Name: epResImportName, }} + acnpImpReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }} + acnpImpNoMatchingTierReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }} ctx = context.Background() scheme = runtime.NewScheme() @@ -108,10 +119,68 @@ var ( }, }, } + allowAction = v1alpha1.RuleActionAllow + dropAction = v1alpha1.RuleActionDrop + securityOpsTier = &v1alpha1.Tier{ + ObjectMeta: metav1.ObjectMeta{ + Name: "securityops", + }, + Spec: v1alpha1.TierSpec{ + Priority: int32(100), + Description: "[READ-ONLY]: System generated SecurityOps Tier", + }, + } + acnpResImport = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + }, + } + acnpResImportNoMatchingTier = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } ) func init() { utilruntime.Must(mcsv1alpha1.AddToScheme(scheme)) + utilruntime.Must(v1alpha1.AddToScheme(scheme)) utilruntime.Must(k8smcsapi.AddToScheme(scheme)) utilruntime.Must(k8sscheme.AddToScheme(scheme)) } @@ -171,6 +240,68 @@ func TestResourceImportReconciler_handleCreateEvent(t *testing.T) { } } +func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, acnpResImportNoMatchingTier).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectedSuccess bool + }{ + { + name: "import ACNP of pre-defined tiers", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectedSuccess: true, + }, + { + name: "import ACNP of non-existing tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectedSuccess: false, + }, + } + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP create event successfully but got error = %v", err) + } + } else { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectedSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } + acnpImport := &mcsv1alpha1.ACNPImport{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tt.acnpImportName}, acnpImport); err != nil { + t.Errorf("ResourceImport Reconciler should create ACNPImport for ACNP type resouc") + } + status := acnpImport.Status.Conditions + if len(status) > 0 && status[0].Type == mcsv1alpha1.ACNPImportRealizable { + if tt.expectedSuccess && status[0].Status != corev1.ConditionTrue { + t.Errorf("ACNPImport %v realizable status should be True but is %v instead", acnpImportName, status[0].Status) + } else if !tt.expectedSuccess && status[0].Status != corev1.ConditionFalse { + t.Errorf("ACNPImport %v realizable status should be False but is %v instead", acnpImportName, status[0].Status) + } + } else { + t.Errorf("No realizable status provided for ACNPImport %v", acnpImportName) + } + } + }) + } +} + func TestResourceImportReconciler_handleDeleteEvent(t *testing.T) { remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -245,6 +376,42 @@ func TestResourceImportReconciler_handleDeleteEvent(t *testing.T) { } } +func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + }, + } + existingACNPImport := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: acnpImportName, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP, existingACNPImport).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + r.installedResImports.Add(*acnpResImport) + + if _, err := r.Reconcile(ctx, acnpImpReq); err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP ResourceImport delete event successfully but got error = %v", err) + } + acnp := &v1alpha1.ClusterNetworkPolicy{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) + } + acnpImport := &mcsv1alpha1.ACNPImport{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: acnpImportName}, acnpImport); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNPImport successfully but got error = %v", err) + } +} + func TestResourceImportReconciler_handleUpdateEvent(t *testing.T) { remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -495,6 +662,219 @@ func TestResourceImportReconciler_handleUpdateEvent(t *testing.T) { } } +func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP1 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &allowAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + } + existingACNPImport1 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: acnpImportName, + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + }, + }, + }, + } + existingACNPImport2 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "acnp-no-matching-tier", + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionFalse, + }, + }, + }, + } + updatedResImport2 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + existingACNP3 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "valid-updated-to-no-valid", + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + existingACNPImport3 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "valid-updated-to-no-valid", + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + }, + }, + }, + } + updatedResImport3 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + acnpImp3Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }} + acnpImp4Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-name-conflict", + }} + existingACNP4 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "name-conflict", + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNPImport1, existingACNPImport2, + existingACNP3, existingACNPImport3, existingACNP4, securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + r.installedResImports.Add(*acnpResImport) + r.installedResImports.Add(*acnpResImportNoMatchingTier) + r.installedResImports.Add(*updatedResImport3) + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectErr bool + expectImportSuccess bool + expectedUpdatedACNPSpec *v1alpha1.ClusterNetworkPolicySpec + }{ + { + name: "update acnp spec", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: acnpResImport.Spec.ClusterNetworkPolicy, + }, + { + name: "imported acnp missing tier update to valid tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: updatedResImport2.Spec.ClusterNetworkPolicy, + }, + { + name: "valid imported acnp update to missing tier", + req: acnpImp3Req, + acnpImportName: "valid-updated-to-no-valid", + expectErr: false, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + { + name: "name conflict with existing acnp", + req: acnpImp4Req, + acnpImportName: "name-conflict", + expectErr: true, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if tt.expectErr { + assert.Contains(t, err.Error(), "conflicts with existing one") + } else { + t.Errorf("ResourceImport Reconciler should handle update event successfully but got error = %v", err) + } + } else { + if tt.expectedUpdatedACNPSpec != nil { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectImportSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectImportSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } else if !reflect.DeepEqual(acnp.Spec, *tt.expectedUpdatedACNPSpec) { + t.Errorf("ACNP spec was not updated successfully") + } + } + } + }) + } +} + func checkAnnotation(t *testing.T, svcImport *k8smcsapi.ServiceImport) { id, ok := svcImport.Annotations[common.AntreaMCClusterIDAnnotation] if id != localClusterID || !ok { diff --git a/multicluster/controllers/multicluster/resourceexport_controller.go b/multicluster/controllers/multicluster/resourceexport_controller.go index 8f3254b8c94..9b7e707bc56 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller.go +++ b/multicluster/controllers/multicluster/resourceexport_controller.go @@ -74,7 +74,7 @@ func NewResourceExportReconciler( // Reconcile will process all kinds of ResourceExport. Service and Endpoint kinds of ResourceExport // will be handled in this file, and all other kinds will have their own handler files, eg: newkind_handler.go func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.V(2).InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) + klog.InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) var resExport mcsv1alpha1.ResourceExport if err := r.Client.Get(ctx, req.NamespacedName, &resExport); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) @@ -85,10 +85,8 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque klog.V(2).InfoS("Reconciling Service type of ResourceExport", "resourceexport", req.NamespacedName) case common.EndpointsKind: klog.V(2).InfoS("Reconciling Endpoint type of ResourceExport", "resourceexport", req.NamespacedName) - // Developer can add more supported kinds here in the future. - // eg: add a new case and a new method 'handleNewKind' in a new file like 'newkind_handler.go' - // case common.NewKind: - // return r.handleNewKind(ctx, req, resExport) + case common.AntreaClusterNetworkPolicyKind: + klog.V(2).InfoS("Reconciling AntreaClusterNetworkPolicy type of ResourceExport", "resourceexport", req.NamespacedName) default: klog.InfoS("It's not expected kind, skip reconciling ResourceExport", "resourceexport", req.NamespacedName) return ctrl.Result{}, nil @@ -101,16 +99,18 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque // More details about using Finalizers, please refer to https://book.kubebuilder.io/reference/using-finalizers.html. if !resExport.DeletionTimestamp.IsZero() { if common.StringExistsInSlice(resExport.Finalizers, common.ResourceExportFinalizer) { + klog.Info("There are finalizers, handling delete event") err := r.handleDeleteEvent(ctx, &resExport) if err != nil { return ctrl.Result{}, err } return r.deleteResourceExport(&resExport) } + klog.Info("There are no finalizers, returning") return ctrl.Result{}, nil } - createResImport, existResImport, err := r.getExistingResImport(ctx, resExport) + createResImport, existingResImport, err := r.getExistingResImport(ctx, resExport) if err != nil { return ctrl.Result{}, err } @@ -119,9 +119,11 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque resImport := &mcsv1alpha1.ResourceImport{} switch resExport.Spec.Kind { case common.ServiceKind: - resImport, changed, err = r.refreshServiceResourceImport(&resExport, existResImport, createResImport) + resImport, changed, err = r.refreshServiceResourceImport(&resExport, existingResImport, createResImport) case common.EndpointsKind: - resImport, changed, err = r.refreshEndpointsResourceImport(&resExport, existResImport, createResImport) + resImport, changed, err = r.refreshEndpointsResourceImport(&resExport, existingResImport, createResImport) + case common.AntreaClusterNetworkPolicyKind: + resImport, changed, err = r.refreshACNPResourceImport(&resExport, existingResImport, createResImport) } if err != nil { r.updateResourceExportStatus(&resExport, failed) @@ -208,6 +210,7 @@ func (r *ResourceExportReconciler) handleDeleteEvent(ctx context.Context, resExp return err } resImportName := GetResourceImportName(resExport) + klog.Infof("There is resImport to delete named %s", resImportName) undeleteItems := RemoveDeletedResourceExports(reList.Items) if len(undeleteItems) == 0 { @@ -384,6 +387,32 @@ func (r *ResourceExportReconciler) refreshEndpointsResourceImport( return newResImport, true, nil } +func (r *ResourceExportReconciler) refreshACNPResourceImport( + resExport *mcsv1alpha1.ResourceExport, + resImport *mcsv1alpha1.ResourceImport, + createResImport bool) (*mcsv1alpha1.ResourceImport, bool, error) { + newResImport := resImport.DeepCopy() + newResImport.Spec.Name = resExport.Spec.Name + newResImport.Spec.Namespace = resExport.Spec.Namespace + newResImport.Spec.Kind = common.AntreaClusterNetworkPolicyKind + if createResImport { + newResImport.Spec.ClusterNetworkPolicy = resExport.Spec.ClusterNetworkPolicy + return newResImport, true, nil + } + if !apiequality.Semantic.DeepEqual(resExport.Spec.ClusterNetworkPolicy, resImport.Spec.ClusterNetworkPolicy) { + undeletedItems, err := r.getNotDeletedResourceExports(resExport) + if err != nil { + klog.ErrorS(err, "failed to list ResourceExports for ACNP, retry later") + return newResImport, false, err + } + if len(undeletedItems) == 1 && undeletedItems[0].Name == resExport.Name && undeletedItems[0].Namespace == resExport.Namespace { + newResImport.Spec.ClusterNetworkPolicy = resExport.Spec.ClusterNetworkPolicy + return newResImport, true, nil + } + } + return newResImport, false, nil +} + func (r *ResourceExportReconciler) getNotDeletedResourceExports(resExport *mcsv1alpha1.ResourceExport) ([]mcsv1alpha1.ResourceExport, error) { reList := &mcsv1alpha1.ResourceExportList{} err := r.Client.List(context.TODO(), reList, &client.ListOptions{ @@ -475,9 +504,15 @@ func SvcPortsConverter(svcPort []corev1.ServicePort) []mcs.ServicePort { } func GetResourceImportName(resExport *mcsv1alpha1.ResourceExport) types.NamespacedName { + if resExport.Spec.Namespace != "" { + return types.NamespacedName{ + Namespace: resExport.Namespace, + Name: resExport.Spec.Namespace + "-" + resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), + } + } return types.NamespacedName{ Namespace: resExport.Namespace, - Name: resExport.Spec.Namespace + "-" + resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), + Name: resExport.Spec.Name + "-" + strings.ToLower(resExport.Spec.Kind), } } diff --git a/multicluster/controllers/multicluster/resourceexport_controller_test.go b/multicluster/controllers/multicluster/resourceexport_controller_test.go index ba8c20af1b0..428d162b90b 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller_test.go +++ b/multicluster/controllers/multicluster/resourceexport_controller_test.go @@ -31,11 +31,13 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( - now = metav1.Now() - svcLabels = map[string]string{ + now = metav1.Now() + dropAction = v1alpha1.RuleActionDrop + svcLabels = map[string]string{ common.SourceNamespace: "default", common.SourceName: "nginx", common.SourceKind: "Service", @@ -54,6 +56,29 @@ var ( Namespace: "default", Name: "cluster-a-default-nginx-endpoints", }} + acnpResReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: "default", + Name: "test-acnp-export", + }} + isolationACNPSpec = &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + } ) func TestResourceExportReconciler_handleServiceExportDeleteEvent(t *testing.T) { @@ -261,6 +286,40 @@ func TestResourceExportReconciler_handleEndpointExportCreateEvent(t *testing.T) } } +func TestResourceExportReconciler_handleACNPExportCreateEvent(t *testing.T) { + existingResExport := &mcsv1alpha1.ResourceExport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + Name: "test-acnp-export", + Finalizers: []string{common.ResourceExportFinalizer}, + }, + Spec: mcsv1alpha1.ResourceExportSpec{ + Name: "test-acnp", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: isolationACNPSpec, + }, + } + expectedImportSpec := mcsv1alpha1.ResourceImportSpec{ + Name: "test-acnp", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: isolationACNPSpec, + } + namespacedName := GetResourceImportName(existingResExport) + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingResExport).Build() + r := NewResourceExportReconciler(fakeClient, scheme) + if _, err := r.Reconcile(ctx, acnpResReq); err != nil { + t.Errorf("ResourceExport Reconciler should handle ACNP ResourceExport create event successfully but got error = %v", err) + } else { + resImport := &mcsv1alpha1.ResourceImport{} + err := fakeClient.Get(ctx, namespacedName, resImport) + if err != nil { + t.Errorf("failed to get ResourceImport, got error = %v", err) + } else if !reflect.DeepEqual(resImport.Spec, expectedImportSpec) { + t.Errorf("expected ResourceImport Spec %v, but got %v", expectedImportSpec, resImport.Spec) + } + } +} + var ( newResExport = &mcsv1alpha1.ResourceExport{ ObjectMeta: metav1.ObjectMeta{ diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..c5359933c4b --- /dev/null +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,183 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + scheme "antrea.io/antrea/multicluster/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// ACNPImportsGetter has a method to return a ACNPImportInterface. +// A group's client should implement this interface. +type ACNPImportsGetter interface { + ACNPImports() ACNPImportInterface +} + +// ACNPImportInterface has methods to work with ACNPImport resources. +type ACNPImportInterface interface { + Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (*v1alpha1.ACNPImport, error) + Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) + UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ACNPImport, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ACNPImportList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) + ACNPImportExpansion +} + +// aCNPImports implements ACNPImportInterface +type aCNPImports struct { + client rest.Interface +} + +// newACNPImports returns a ACNPImports +func newACNPImports(c *MulticlusterV1alpha1Client) *aCNPImports { + return &aCNPImports{ + client: c.RESTClient(), + } +} + +// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. +func (c *aCNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Get(). + Resource("acnpimports"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. +func (c *aCNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.ACNPImportList{} + err = c.client.Get(). + Resource("acnpimports"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested aCNPImports. +func (c *aCNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("acnpimports"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *aCNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Post(). + Resource("acnpimports"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(aCNPImport). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *aCNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Put(). + Resource("acnpimports"). + Name(aCNPImport.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(aCNPImport). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *aCNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Put(). + Resource("acnpimports"). + Name(aCNPImport.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(aCNPImport). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. +func (c *aCNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("acnpimports"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *aCNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("acnpimports"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched aCNPImport. +func (c *aCNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { + result = &v1alpha1.ACNPImport{} + err = c.client.Patch(pt). + Resource("acnpimports"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go new file mode 100644 index 00000000000..5af9bd4660f --- /dev/null +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go @@ -0,0 +1,132 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeACNPImports implements ACNPImportInterface +type FakeACNPImports struct { + Fake *FakeMulticlusterV1alpha1 +} + +var acnpimportsResource = schema.GroupVersionResource{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Resource: "acnpimports"} + +var acnpimportsKind = schema.GroupVersionKind{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Kind: "ACNPImport"} + +// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. +func (c *FakeACNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. +func (c *FakeACNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(acnpimportsResource, acnpimportsKind, opts), &v1alpha1.ACNPImportList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.ACNPImportList{ListMeta: obj.(*v1alpha1.ACNPImportList).ListMeta} + for _, item := range obj.(*v1alpha1.ACNPImportList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested aCNPImports. +func (c *FakeACNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(acnpimportsResource, opts)) +} + +// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *FakeACNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. +func (c *FakeACNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeACNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(acnpimportsResource, "status", aCNPImport), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} + +// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. +func (c *FakeACNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeACNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(acnpimportsResource, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.ACNPImportList{}) + return err +} + +// Patch applies the patch and returns the patched aCNPImport. +func (c *FakeACNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(acnpimportsResource, name, pt, data, subresources...), &v1alpha1.ACNPImport{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.ACNPImport), err +} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go index 30ac2ac7dae..12b08f2e009 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go @@ -27,6 +27,10 @@ type FakeMulticlusterV1alpha1 struct { *testing.Fake } +func (c *FakeMulticlusterV1alpha1) ACNPImports() v1alpha1.ACNPImportInterface { + return &FakeACNPImports{c} +} + func (c *FakeMulticlusterV1alpha1) ClusterClaims(namespace string) v1alpha1.ClusterClaimInterface { return &FakeClusterClaims{c, namespace} } diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go index f666a0a8999..415b34aa575 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go @@ -17,6 +17,8 @@ limitations under the License. package v1alpha1 +type ACNPImportExpansion interface{} + type ClusterClaimExpansion interface{} type ClusterSetExpansion interface{} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go index e3b1c38e45f..5985172b310 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go @@ -25,6 +25,7 @@ import ( type MulticlusterV1alpha1Interface interface { RESTClient() rest.Interface + ACNPImportsGetter ClusterClaimsGetter ClusterSetsGetter MemberClusterAnnouncesGetter @@ -39,6 +40,10 @@ type MulticlusterV1alpha1Client struct { restClient rest.Interface } +func (c *MulticlusterV1alpha1Client) ACNPImports() ACNPImportInterface { + return newACNPImports(c) +} + func (c *MulticlusterV1alpha1Client) ClusterClaims(namespace string) ClusterClaimInterface { return newClusterClaims(c, namespace) } diff --git a/multicluster/pkg/client/informers/externalversions/generic.go b/multicluster/pkg/client/informers/externalversions/generic.go index 838bedf070a..f294fc5d9f9 100644 --- a/multicluster/pkg/client/informers/externalversions/generic.go +++ b/multicluster/pkg/client/informers/externalversions/generic.go @@ -52,6 +52,8 @@ func (f *genericInformer) Lister() cache.GenericLister { func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) { switch resource { // Group=multicluster.crd.antrea.io, Version=v1alpha1 + case v1alpha1.SchemeGroupVersion.WithResource("acnpimports"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ACNPImports().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clusterclaims"): return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ClusterClaims().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clustersets"): diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..7d04a5f024f --- /dev/null +++ b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,88 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + versioned "antrea.io/antrea/multicluster/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/multicluster/pkg/client/informers/externalversions/internalinterfaces" + v1alpha1 "antrea.io/antrea/multicluster/pkg/client/listers/multicluster/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// ACNPImportInformer provides access to a shared informer and lister for +// ACNPImports. +type ACNPImportInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.ACNPImportLister +} + +type aCNPImportInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewACNPImportInformer constructs a new informer for ACNPImport type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredACNPImportInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredACNPImportInformer constructs a new informer for ACNPImport type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.MulticlusterV1alpha1().ACNPImports().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.MulticlusterV1alpha1().ACNPImports().Watch(context.TODO(), options) + }, + }, + &multiclusterv1alpha1.ACNPImport{}, + resyncPeriod, + indexers, + ) +} + +func (f *aCNPImportInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredACNPImportInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *aCNPImportInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&multiclusterv1alpha1.ACNPImport{}, f.defaultInformer) +} + +func (f *aCNPImportInformer) Lister() v1alpha1.ACNPImportLister { + return v1alpha1.NewACNPImportLister(f.Informer().GetIndexer()) +} diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go index ff4c3100c97..3752d69c273 100644 --- a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go +++ b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go @@ -23,6 +23,8 @@ import ( // Interface provides access to all the informers in this group version. type Interface interface { + // ACNPImports returns a ACNPImportInformer. + ACNPImports() ACNPImportInformer // ClusterClaims returns a ClusterClaimInformer. ClusterClaims() ClusterClaimInformer // ClusterSets returns a ClusterSetInformer. @@ -50,6 +52,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} } +// ACNPImports returns a ACNPImportInformer. +func (v *version) ACNPImports() ACNPImportInformer { + return &aCNPImportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // ClusterClaims returns a ClusterClaimInformer. func (v *version) ClusterClaims() ClusterClaimInformer { return &clusterClaimInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go new file mode 100644 index 00000000000..0c8602e79de --- /dev/null +++ b/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go @@ -0,0 +1,67 @@ +/* +Copyright 2021 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// ACNPImportLister helps list ACNPImports. +// All objects returned here must be treated as read-only. +type ACNPImportLister interface { + // List lists all ACNPImports in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) + // Get retrieves the ACNPImport from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.ACNPImport, error) + ACNPImportListerExpansion +} + +// aCNPImportLister implements the ACNPImportLister interface. +type aCNPImportLister struct { + indexer cache.Indexer +} + +// NewACNPImportLister returns a new ACNPImportLister. +func NewACNPImportLister(indexer cache.Indexer) ACNPImportLister { + return &aCNPImportLister{indexer: indexer} +} + +// List lists all ACNPImports in the indexer. +func (s *aCNPImportLister) List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.ACNPImport)) + }) + return ret, err +} + +// Get retrieves the ACNPImport from the index for a given name. +func (s *aCNPImportLister) Get(name string) (*v1alpha1.ACNPImport, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("acnpimport"), name) + } + return obj.(*v1alpha1.ACNPImport), nil +} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go index 80cd468ef4e..1bad923a226 100644 --- a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go +++ b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go @@ -17,6 +17,10 @@ limitations under the License. package v1alpha1 +// ACNPImportListerExpansion allows custom methods to be added to +// ACNPImportLister. +type ACNPImportListerExpansion interface{} + // ClusterClaimListerExpansion allows custom methods to be added to // ClusterClaimLister. type ClusterClaimListerExpansion interface{} diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go index 12cc33f2eb4..4d475d17b62 100644 --- a/pkg/apis/crd/v1alpha1/types.go +++ b/pkg/apis/crd/v1alpha1/types.go @@ -314,12 +314,12 @@ type NetworkPolicySpec struct { // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. // +optional - Ingress []Rule `json:"ingress"` + Ingress []Rule `json:"ingress,omitempty"` // Set of egress rules evaluated based on the order in which they are set. // Currently Egress rule supports setting the `To` field but not the `From` // field within a Rule. // +optional - Egress []Rule `json:"egress"` + Egress []Rule `json:"egress,omitempty"` } // NetworkPolicyPhase defines the phase in which a NetworkPolicy is. @@ -360,12 +360,12 @@ type Rule struct { // Rule is matched if traffic originates from workloads selected by // this field. If this field is empty, this rule matches all sources. // +optional - From []NetworkPolicyPeer `json:"from"` + From []NetworkPolicyPeer `json:"from,omitempty"` // Rule is matched if traffic is intended for workloads selected by // this field. This field can't be used with ToServices. If this field // and ToServices are both empty or missing this rule matches all destinations. // +optional - To []NetworkPolicyPeer `json:"to"` + To []NetworkPolicyPeer `json:"to,omitempty"` // Rule is matched if traffic is intended for a Service listed in this field. // Currently only ClusterIP types Services are supported in this field. This field // can only be used when AntreaProxy is enabled. This field can't be used with To @@ -376,9 +376,10 @@ type Rule struct { // Name describes the intention of this rule. // Name should be unique within the policy. // +optional - Name string `json:"name"` + Name string `json:"name,omitempty"` // EnableLogging is used to indicate if agent should generate logs // when rules are matched. Should be default to false. + // +optional EnableLogging bool `json:"enableLogging"` // Select workloads on which this rule will be applied to. Cannot be set in // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. @@ -538,12 +539,12 @@ type ClusterNetworkPolicySpec struct { // Currently Ingress rule supports setting the `From` field but not the `To` // field within a Rule. // +optional - Ingress []Rule `json:"ingress"` + Ingress []Rule `json:"ingress,omitempty"` // Set of egress rules evaluated based on the order in which they are set. // Currently Egress rule supports setting the `To` field but not the `From` // field within a Rule. // +optional - Egress []Rule `json:"egress"` + Egress []Rule `json:"egress,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object From 7b3d274a84a10376df17047e7b037067903106f7 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Fri, 25 Feb 2022 15:22:36 -0800 Subject: [PATCH 2/7] Cleanup test code Signed-off-by: Yang Ding --- ci/jenkins/clean-mc.sh | 148 ------------------ ci/jenkins/test-mc.sh | 26 +-- .../v1alpha1/resourceexport_webhook.go | 1 - .../commonarea/resourceimport_controller.go | 24 +-- .../multicluster/resourceexport_controller.go | 4 +- .../resourceexport_controller_test.go | 6 +- 6 files changed, 30 insertions(+), 179 deletions(-) delete mode 100644 ci/jenkins/clean-mc.sh diff --git a/ci/jenkins/clean-mc.sh b/ci/jenkins/clean-mc.sh deleted file mode 100644 index 1e07681c09d..00000000000 --- a/ci/jenkins/clean-mc.sh +++ /dev/null @@ -1,148 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2021 Antrea Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -eo pipefail - -DEFAULT_WORKDIR="/var/lib/jenkins" -DEFAULT_KUBECONFIG_PATH=$DEFAULT_WORKDIR/kube.conf -WORKDIR=$DEFAULT_WORKDIR -TESTCASE="" -TEST_FAILURE=false -DOCKER_REGISTRY=$(head -n1 "/var/lib/jenkins/antrea/ci/docker-registry") -GO_VERSION=$(head -n1 "/var/lib/jenkins/antrea/build/images/deps/go-version") -IMAGE_PULL_POLICY="Always" -MULTICLUSTER_KUBECONFIG_PATH=$WORKDIR/.kube -LEADER_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/leader" -EAST_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/east" -WEST_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/west" - -NGINX_IMAGE=projects.registry.vmware.com/antrea/nginx:1.21.6-alpine - -CONTROL_PLANE_NODE_ROLE="control-plane,master" - -multicluster_kubeconfigs=($EAST_CLUSTER_CONFIG $LEADER_CLUSTER_CONFIG $WEST_CLUSTER_CONFIG) -membercluter_kubeconfigs=($EAST_CLUSTER_CONFIG $WEST_CLUSTER_CONFIG) - -CLEAN_STALE_IMAGES="docker system prune --force --all --filter until=48h" - -_usage="Usage: $0 [--kubeconfigs-path ] [--workdir ] - [--testcase ] - -Run Antrea multi-cluster e2e tests on a remote (Jenkins) Linux Cluster Set. - - --kubeconfigs-path Path of cluster set kubeconfigs. - --workdir Home path for Go, vSphere information and antrea_logs during cluster setup. Default is $WORKDIR. - --testcase Antrea multi-cluster e2e test cases on a Linux cluster set. - --registry The docker registry to use instead of dockerhub." - -function print_usage { - echoerr "$_usage" -} - - -while [[ $# -gt 0 ]] -do -key="$1" - -case $key in - --kubeconfigs-path) - MULTICLUSTER_KUBECONFIG_PATH="$2" - shift 2 - ;; - --workdir) - WORKDIR="$2" - shift 2 - ;; - --testcase) - TESTCASE="$2" - shift 2 - ;; - --registry) - DOCKER_REGISTRY="$2" - shift 2 - ;; - -h|--help) - print_usage - exit 0 - ;; - *) # unknown option - echoerr "Unknown option $1" - exit 1 - ;; -esac -done - - -function clean_tmp() { - echo "===== Clean up stale files & folders older than 7 days under /tmp =====" - CLEAN_LIST=( - "*codecov*" - "kustomize-*" - "*antrea*" - "go-build*" - ) - for item in "${CLEAN_LIST[@]}"; do - find /tmp -name "${item}" -mtime +7 -exec rm -rf {} \; 2>&1 | grep -v "Permission denied" || true - done - find ${WORKDIR} -name "support-bundles*" -mtime +7 -exec rm -rf {} \; 2>&1 | grep -v "Permission denied" || true -} - - -function cleanup_multicluster_ns { - ns=$1 - kubeconfig=$2 - - kubectl delete ns "${ns}" --ignore-not-found=true ${kubeconfig} --timeout=30s || true -} - -function cleanup_multicluster_controller { - echo "====== Cleanup Multicluster Controller Installation ======" - kubeconfig=$1 - for multicluster_yml in /var/lib/jenkins/antrea/multicluster/test/yamls/*.yml; do - kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true - done - - for multicluster_yml in /var/lib/jenkins/antrea/multicluster/build/yamls/*.yml; do - kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true - done -} - -function cleanup_multicluster_antrea { - echo "====== Cleanup Antrea controller and agent ======" - kubeconfig=$1 - kubectl get pod -n kube-system -l component=antrea-agent --no-headers=true $kubeconfig | awk '{print $1}' | while read AGENTNAME; do - kubectl exec $AGENTNAME -c antrea-agent -n kube-system ${kubeconfig} ovs-vsctl del-port br-int gw0 || true - done - - for antrea_yml in ${WORKDIR}/*.yml; do - kubectl delete -f $antrea_yml --ignore-not-found=true ${kubeconfig} --timeout=30s || true - done -} - -function clean_multicluster { - echo "====== Cleanup Multicluster Antrea Installation in clusters ======" - for kubeconfig in "${multicluster_kubeconfigs[@]}" - do - cleanup_multicluster_ns "antrea-multicluster-test" $kubeconfig - cleanup_multicluster_ns "antrea-mcs-ns" $kubeconfig - cleanup_multicluster_controller $kubeconfig - cleanup_multicluster_antrea $kubeconfig - done -} - -trap clean_multicluster EXIT -clean_tmp - diff --git a/ci/jenkins/test-mc.sh b/ci/jenkins/test-mc.sh index 0ed570f0db9..c6400e787d2 100755 --- a/ci/jenkins/test-mc.sh +++ b/ci/jenkins/test-mc.sh @@ -25,8 +25,8 @@ DEFAULT_KUBECONFIG_PATH=$DEFAULT_WORKDIR/kube.conf WORKDIR=$DEFAULT_WORKDIR TESTCASE="" TEST_FAILURE=false -DOCKER_REGISTRY=$(head -n1 "/var/lib/jenkins/antrea/ci/docker-registry") -GO_VERSION=$(head -n1 "/var/lib/jenkins/antrea/build/images/deps/go-version") +DOCKER_REGISTRY=$(head -n1 "${WORKSPACE}/ci/docker-registry") +GO_VERSION=$(head -n1 "${WORKSPACE}/build/images/deps/go-version") IMAGE_PULL_POLICY="Always" MULTICLUSTER_KUBECONFIG_PATH=$WORKDIR/.kube LEADER_CLUSTER_CONFIG="--kubeconfig=$MULTICLUSTER_KUBECONFIG_PATH/leader" @@ -115,11 +115,11 @@ function cleanup_multicluster_ns { function cleanup_multicluster_controller { echo "====== Cleanup Multicluster Controller Installation ======" kubeconfig=$1 - for multicluster_yml in /var/lib/jenkins/antrea/multicluster/test/yamls/*.yml; do + for multicluster_yml in ${WORKSPACE}/multicluster/test/yamls/*.yml; do kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true done - for multicluster_yml in /var/lib/jenkins/antrea/multicluster/build/yamls/*.yml; do + for multicluster_yml in ${WORKSPACE}/multicluster/build/yamls/*.yml; do kubectl delete -f $multicluster_yml $kubeconfig --ignore-not-found=true --timeout=30s || true done } @@ -277,17 +277,17 @@ function run_multicluster_e2e { done -# set +e -# mkdir -p `pwd`/antrea-multicluster-test-logs -# go test -v antrea.io/antrea/multicluster/test/e2e --logs-export-dir `pwd`/antrea-multicluster-test-logs -# if [[ "$?" != "0" ]]; then -# TEST_FAILURE=true -# fi -# set -e + set +e + mkdir -p `pwd`/antrea-multicluster-test-logs + go test -v antrea.io/antrea/multicluster/test/e2e --logs-export-dir `pwd`/antrea-multicluster-test-logs + if [[ "$?" != "0" ]]; then + TEST_FAILURE=true + fi + set -e } -#trap clean_multicluster EXIT -#clean_tmp +trap clean_multicluster EXIT +clean_tmp if [[ ${TESTCASE} =~ "e2e" ]]; then deliver_antrea_multicluster diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go index 5b78713eee6..4429f182860 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go @@ -54,7 +54,6 @@ func (r *ResourceExport) Default() { if namespaceLabelVal, exists := r.Labels[common.SourceNamespace]; !exists || namespaceLabelVal != "" { r.Labels[common.SourceNamespace] = "" } - // TODO: put sourceClusterID for leader cluster? if kindLabelVal, exists := r.Labels[common.SourceKind]; !exists || kindLabelVal != common.AntreaClusterNetworkPolicyKind { r.Labels[common.SourceKind] = common.AntreaClusterNetworkPolicyKind } diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index cd8ca0441b7..2485aa91e3d 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -380,22 +380,24 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx tierKind, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierKind) tierNotFound := apierrors.IsNotFound(err) - if acnpNotFound && !tierNotFound { - if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { - klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err + if !tierNotFound { + if acnpNotFound { + if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { + acnp.Spec = acnpObj.Spec + if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { + klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } } - } else if !acnpNotFound && tierNotFound { + } else if tierNotFound && !acnpNotFound { if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { klog.ErrorS(err, "failed to delete imported Antrea ClusterNetworkPolicy that no longer have a valid Tier for the current cluster", "acnp", klog.KObj(acnpObj)) return ctrl.Result{}, err } - } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { - acnp.Spec = acnpObj.Spec - if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err - } } acnpImp := &multiclusterv1alpha1.ACNPImport{} err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) diff --git a/multicluster/controllers/multicluster/resourceexport_controller.go b/multicluster/controllers/multicluster/resourceexport_controller.go index 9b7e707bc56..ad03e96848e 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller.go +++ b/multicluster/controllers/multicluster/resourceexport_controller.go @@ -74,7 +74,7 @@ func NewResourceExportReconciler( // Reconcile will process all kinds of ResourceExport. Service and Endpoint kinds of ResourceExport // will be handled in this file, and all other kinds will have their own handler files, eg: newkind_handler.go func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) + klog.V(2).InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) var resExport mcsv1alpha1.ResourceExport if err := r.Client.Get(ctx, req.NamespacedName, &resExport); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) @@ -99,14 +99,12 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque // More details about using Finalizers, please refer to https://book.kubebuilder.io/reference/using-finalizers.html. if !resExport.DeletionTimestamp.IsZero() { if common.StringExistsInSlice(resExport.Finalizers, common.ResourceExportFinalizer) { - klog.Info("There are finalizers, handling delete event") err := r.handleDeleteEvent(ctx, &resExport) if err != nil { return ctrl.Result{}, err } return r.deleteResourceExport(&resExport) } - klog.Info("There are no finalizers, returning") return ctrl.Result{}, nil } diff --git a/multicluster/controllers/multicluster/resourceexport_controller_test.go b/multicluster/controllers/multicluster/resourceexport_controller_test.go index 428d162b90b..fd1ff1c61d6 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller_test.go +++ b/multicluster/controllers/multicluster/resourceexport_controller_test.go @@ -35,9 +35,9 @@ import ( ) var ( - now = metav1.Now() - dropAction = v1alpha1.RuleActionDrop - svcLabels = map[string]string{ + now = metav1.Now() + dropAction = v1alpha1.RuleActionDrop + svcLabels = map[string]string{ common.SourceNamespace: "default", common.SourceName: "nginx", common.SourceKind: "Service", From 83ca0c893f4fe1bee272957ecfadf84c3254000a Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Mon, 28 Feb 2022 13:08:46 -0800 Subject: [PATCH 3/7] Rebase and resolve comments Signed-off-by: Yang Ding --- multicluster/Makefile | 5 + .../v1alpha1/resourceexport_webhook.go | 2 +- .../commonarea/acnpimport_controller.go | 218 +++++++++ .../commonarea/acnpimport_controller_test.go | 417 ++++++++++++++++++ .../commonarea/resourceimport_controller.go | 183 +------- .../resourceimport_controller_test.go | 386 +--------------- .../multicluster/resourceexport_controller.go | 30 +- 7 files changed, 663 insertions(+), 578 deletions(-) create mode 100644 multicluster/controllers/multicluster/commonarea/acnpimport_controller.go create mode 100644 multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go diff --git a/multicluster/Makefile b/multicluster/Makefile index b12a25764e6..1a4b8dbb474 100644 --- a/multicluster/Makefile +++ b/multicluster/Makefile @@ -1,4 +1,9 @@ # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) +# For controller-gen, float value is not allowed by default as it is considered dangerous +# See https://github.com/kubernetes-sigs/controller-tools/issues/245 +# However the ResourceExport/Import refers to ACNP type definition and the priority field in ACNP spec is of type float64. +# Hence, before any ACNP spec bumps that changes the priorty field to a different type, +# the allowDangerousTypes flag is needed for CRD manifests to generate correctly. CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true,preserveUnknownFields=false" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go index 4429f182860..96770b999bf 100644 --- a/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go +++ b/multicluster/apis/multicluster/v1alpha1/resourceexport_webhook.go @@ -58,7 +58,7 @@ func (r *ResourceExport) Default() { r.Labels[common.SourceKind] = common.AntreaClusterNetworkPolicyKind } if r.DeletionTimestamp.IsZero() && !common.StringExistsInSlice(r.Finalizers, common.ResourceExportFinalizer) { - r.Finalizers = []string{common.ResourceExportFinalizer} + r.Finalizers = append(r.Finalizers, common.ResourceExportFinalizer) } } diff --git a/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go b/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go new file mode 100644 index 00000000000..8134cead088 --- /dev/null +++ b/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go @@ -0,0 +1,218 @@ +/* +Copyright 2022 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commonarea + +import ( + "context" + "errors" + + corev1 "k8s.io/api/core/v1" + apiequality "k8s.io/apimachinery/pkg/api/equality" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/klog/v2" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + + multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpImpName := types.NamespacedName{ + Namespace: "", + Name: resImp.Spec.Name, + } + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Updating ACNP and ACNPImport corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := r.localClusterClient.Get(ctx, acnpName, acnp) + acnpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpNotFound { + return ctrl.Result{}, err + } + if !acnpNotFound { + if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; !ok { + err := errors.New("unable to import Antrea ClusterNetworkPolicy which conflicts with existing one") + klog.ErrorS(err, "", "acnp", klog.KObj(acnp)) + return ctrl.Result{}, err + } + } + acnpObj := getMCAntreaClusterPolicy(resImp) + tierKind, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier + err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierKind) + tierNotFound := apierrors.IsNotFound(err) + if !tierNotFound { + // If the ACNP Tier exists in the importing member cluster, then the policy is realizable. + // Create or update the ACNP if necessary. + if acnpNotFound { + if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { + acnp.Spec = acnpObj.Spec + if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { + klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } + } else if tierNotFound && !acnpNotFound { + // The ACNP Tier does not exist, and the policy cannot be realized in this particular importing member cluster. + // If there is an ACNP previously created via import (which has a valid Tier by then), it should be cleaned up. + if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { + klog.ErrorS(err, "failed to delete imported Antrea ClusterNetworkPolicy that no longer has a valid Tier for the current cluster", "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, err + } + } + acnpImp := &multiclusterv1alpha1.ACNPImport{} + err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) + acnpImpNotFound := apierrors.IsNotFound(err) + if err != nil && !acnpImpNotFound { + klog.ErrorS(err, "failed to get existing ACNPImports") + return ctrl.Result{}, err + } + // acnpImport status will be realizable=False if Tier is not found on this member cluster, and realizable=True otherwise. + acnpImpObj, isRealizable := getACNPImport(resImp, tierNotFound) + if acnpImpNotFound { + err := r.localClusterClient.Create(ctx, acnpImpObj, &client.CreateOptions{}) + if err != nil { + klog.ErrorS(err, "failed to create ACNPImport", "acnpimport", klog.KObj(acnpImpObj)) + return ctrl.Result{}, err + } + r.installedResImports.Add(*resImp) + } + patchACNPImportStatus := false + if len(acnpImp.Status.Conditions) == 0 { + acnpImp.Status = acnpImpObj.Status + patchACNPImportStatus = true + } else { + for _, c := range acnpImp.Status.Conditions { + if c.Type == multiclusterv1alpha1.ACNPImportRealizable && c.Status != isRealizable { + acnpImp.Status = acnpImpObj.Status + patchACNPImportStatus = true + } + } + } + // Patch ACNPImport status if realizable state has changed. + if patchACNPImportStatus { + if err := r.localClusterClient.Status().Update(ctx, acnpImp); err != nil { + klog.ErrorS(err, "failed to update acnpImport status", "acnpImport", klog.KObj(acnpImp)) + } + } + return ctrl.Result{}, nil +} + +func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { + acnpImpName := types.NamespacedName{ + Namespace: "", + Name: resImp.Spec.Name, + } + acnpName := types.NamespacedName{ + Namespace: "", + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + } + klog.InfoS("Deleting ACNP and ACNPImport corresponding to ResourceImport", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + + var err error + cleanupACNPImport := func() (ctrl.Result, error) { + acnpImp := &multiclusterv1alpha1.ACNPImport{} + err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) + if err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + err = r.localClusterClient.Delete(ctx, acnpImp, &client.DeleteOptions{}) + if err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + return ctrl.Result{}, nil + } + + acnp := &v1alpha1.ClusterNetworkPolicy{} + err = r.localClusterClient.Get(ctx, acnpName, acnp) + if err != nil { + if apierrors.IsNotFound(err) { + klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", + "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) + return cleanupACNPImport() + } + return ctrl.Result{}, err + } + err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}) + if err != nil { + return ctrl.Result{}, err + } + return cleanupACNPImport() +} + +func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { + if resImp.Spec.ClusterNetworkPolicy == nil { + return nil + } + return &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + resImp.Spec.Name, + Annotations: map[string]string{ + common.AntreaMCACNPAnnotation: "true", + }, + }, + Spec: *resImp.Spec.ClusterNetworkPolicy, + } +} + +func getACNPImport(resImp *multiclusterv1alpha1.ResourceImport, tierNotFound bool) (*multiclusterv1alpha1.ACNPImport, corev1.ConditionStatus) { + if resImp.Spec.ClusterNetworkPolicy == nil { + return nil, corev1.ConditionFalse + } + status, isRealizable := getACNPImportStatus(tierNotFound) + return &multiclusterv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: resImp.Spec.Name, + }, + Status: multiclusterv1alpha1.ACNPImportStatus{ + Conditions: []multiclusterv1alpha1.ACNPImportCondition{status}, + }, + }, isRealizable +} + +func getACNPImportStatus(tierNotFound bool) (multiclusterv1alpha1.ACNPImportCondition, corev1.ConditionStatus) { + tierNotFoundReason := "TierNotFound" + tierNotFoundMessage := "ACNP Tier does not exist in the importing cluster" + time := metav1.Now() + if tierNotFound { + return multiclusterv1alpha1.ACNPImportCondition{ + Type: multiclusterv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionFalse, + LastTransitionTime: &time, + Reason: &tierNotFoundReason, + Message: &tierNotFoundMessage, + }, corev1.ConditionFalse + } + return multiclusterv1alpha1.ACNPImportCondition{ + Type: multiclusterv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + LastTransitionTime: &time, + }, corev1.ConditionTrue +} diff --git a/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go new file mode 100644 index 00000000000..8a9b7ed5eef --- /dev/null +++ b/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go @@ -0,0 +1,417 @@ +/* +Copyright 2022 Antrea Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commonarea + +import ( + "reflect" + "testing" + + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + + mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + "antrea.io/antrea/multicluster/controllers/multicluster/common" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +var ( + acnpImportName = "acnp-for-isolation" + acnpResImportName = leaderNamespace + "-" + acnpImportName + + acnpImpReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }} + acnpImpNoMatchingTierReq = ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }} + + allowAction = v1alpha1.RuleActionAllow + dropAction = v1alpha1.RuleActionDrop + securityOpsTier = &v1alpha1.Tier{ + ObjectMeta: metav1.ObjectMeta{ + Name: "securityops", + }, + Spec: v1alpha1.TierSpec{ + Priority: int32(100), + Description: "[READ-ONLY]: System generated SecurityOps Tier", + }, + } + acnpResImport = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: acnpResImportName, + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &dropAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + }, + } + acnpResImportNoMatchingTier = &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } +) + +func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, acnpResImportNoMatchingTier).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectedSuccess bool + }{ + { + name: "import ACNP of pre-defined tiers", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectedSuccess: true, + }, + { + name: "import ACNP of non-existing tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectedSuccess: false, + }, + } + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP create event successfully but got error = %v", err) + } + } else { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectedSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } + acnpImport := &mcsv1alpha1.ACNPImport{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tt.acnpImportName}, acnpImport); err != nil { + t.Errorf("ResourceImport Reconciler should create ACNPImport for ACNP type resouc") + } + status := acnpImport.Status.Conditions + if len(status) > 0 && status[0].Type == mcsv1alpha1.ACNPImportRealizable { + if tt.expectedSuccess && status[0].Status != corev1.ConditionTrue { + t.Errorf("ACNPImport %v realizable status should be True but is %v instead", acnpImportName, status[0].Status) + } else if !tt.expectedSuccess && status[0].Status != corev1.ConditionFalse { + t.Errorf("ACNPImport %v realizable status should be False but is %v instead", acnpImportName, status[0].Status) + } + } else { + t.Errorf("No realizable status provided for ACNPImport %v", acnpImportName) + } + } + }) + } +} + +func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + }, + } + existingACNPImport := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: acnpImportName, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP, existingACNPImport).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + r.installedResImports.Add(*acnpResImport) + + if _, err := r.Reconcile(ctx, acnpImpReq); err != nil { + t.Errorf("ResourceImport Reconciler should handle ACNP ResourceImport delete event successfully but got error = %v", err) + } + acnp := &v1alpha1.ClusterNetworkPolicy{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) + } + acnpImport := &mcsv1alpha1.ACNPImport{} + if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: acnpImportName}, acnpImport); !apierrors.IsNotFound(err) { + t.Errorf("ResourceImport Reconciler should delete ACNPImport successfully but got error = %v", err) + } +} + +func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { + remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + defer remoteMgr.Stop() + + existingACNP1 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + Ingress: []v1alpha1.Rule{ + { + Action: &allowAction, + From: []v1alpha1.NetworkPolicyPeer{ + { + Namespaces: &v1alpha1.PeerNamespaces{ + Match: v1alpha1.NamespaceMatchSelf, + }, + }, + }, + }, + }, + }, + } + existingACNPImport1 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: acnpImportName, + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + }, + }, + }, + } + existingACNPImport2 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "acnp-no-matching-tier", + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionFalse, + }, + }, + }, + } + updatedResImport2 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-acnp-no-matching-tier", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: "acnp-no-matching-tier", + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + existingACNP3 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "valid-updated-to-no-valid", + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + existingACNPImport3 := &mcsv1alpha1.ACNPImport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "valid-updated-to-no-valid", + }, + Status: mcsv1alpha1.ACNPImportStatus{ + Conditions: []mcsv1alpha1.ACNPImportCondition{ + { + Type: mcsv1alpha1.ACNPImportRealizable, + Status: corev1.ConditionTrue, + }, + }, + }, + } + updatedResImport3 := &mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "somerandomtier", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + acnpImp3Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-valid-updated-to-no-valid", + }} + acnpImp4Req := ctrl.Request{NamespacedName: types.NamespacedName{ + Namespace: leaderNamespace, + Name: "default-name-conflict", + }} + existingACNP4 := &v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "name-conflict", + }, + Spec: v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + } + + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNPImport1, existingACNPImport2, + existingACNP3, existingACNPImport3, existingACNP4, securityOpsTier).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() + remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) + r.installedResImports.Add(*acnpResImport) + r.installedResImports.Add(*acnpResImportNoMatchingTier) + r.installedResImports.Add(*updatedResImport3) + + tests := []struct { + name string + acnpImportName string + req ctrl.Request + expectErr bool + expectImportSuccess bool + expectedUpdatedACNPSpec *v1alpha1.ClusterNetworkPolicySpec + }{ + { + name: "update acnp spec", + acnpImportName: acnpImportName, + req: acnpImpReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: acnpResImport.Spec.ClusterNetworkPolicy, + }, + { + name: "imported acnp missing tier update to valid tier", + acnpImportName: "acnp-no-matching-tier", + req: acnpImpNoMatchingTierReq, + expectErr: false, + expectImportSuccess: true, + expectedUpdatedACNPSpec: updatedResImport2.Spec.ClusterNetworkPolicy, + }, + { + name: "valid imported acnp update to missing tier", + req: acnpImp3Req, + acnpImportName: "valid-updated-to-no-valid", + expectErr: false, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + { + name: "name conflict with existing acnp", + req: acnpImp4Req, + acnpImportName: "name-conflict", + expectErr: true, + expectImportSuccess: false, + expectedUpdatedACNPSpec: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if _, err := r.Reconcile(ctx, tt.req); err != nil { + if tt.expectErr { + assert.Contains(t, err.Error(), "conflicts with existing one") + } else { + t.Errorf("ResourceImport Reconciler should handle update event successfully but got error = %v", err) + } + } else { + if tt.expectedUpdatedACNPSpec != nil { + acnp := &v1alpha1.ClusterNetworkPolicy{} + err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) + if tt.expectImportSuccess && err != nil { + t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) + } else if !tt.expectImportSuccess && (err == nil || !apierrors.IsNotFound(err)) { + t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) + } else if !reflect.DeepEqual(acnp.Spec, *tt.expectedUpdatedACNPSpec) { + t.Errorf("ACNP spec was not updated successfully") + } + } + } + }) + } +} diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index 2485aa91e3d..5bd849be1da 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -37,7 +37,6 @@ import ( multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" - "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) const ( @@ -93,7 +92,7 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l // Reconcile will attempt to ensure that the imported Resource is installed in local cluster as per the // ResourceImport object. func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.V(2).InfoS("reconciling ResourceImport", "resourceimport", req.NamespacedName) + klog.V(2).InfoS("Reconciling ResourceImport", "resourceimport", req.NamespacedName) // TODO: Must check whether this ResourceImport must be reconciled by this member cluster. Check `spec.clusters` field. if r.localClusterClient == nil { return ctrl.Result{}, errors.New("localClusterClient has not been initialized properly, no local cluster client") @@ -109,7 +108,7 @@ func (r *ResourceImportReconciler) Reconcile(ctx context.Context, req ctrl.Reque if err != nil { isDeleted = apierrors.IsNotFound(err) if !isDeleted { - klog.InfoS("unable to fetch ResourceImport", "resourceimport", req.NamespacedName.String(), "err", err) + klog.InfoS("Unable to fetch ResourceImport", "resourceimport", req.NamespacedName.String(), "err", err) return ctrl.Result{}, err } else { resImpObj, exist, err := r.installedResImports.GetByKey(req.NamespacedName.String()) @@ -351,133 +350,8 @@ func (r *ResourceImportReconciler) handleResImpDeleteForEndpoints(ctx context.Co return ctrl.Result{}, nil } -func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { - acnpImpName := types.NamespacedName{ - Namespace: "", - Name: resImp.Spec.Name, - } - acnpName := types.NamespacedName{ - Namespace: "", - Name: common.AntreaMCSPrefix + resImp.Spec.Name, - } - klog.InfoS("Updating ACNP and ACNPImport corresponding to ResourceImport", - "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - - acnp := &v1alpha1.ClusterNetworkPolicy{} - err := r.localClusterClient.Get(ctx, acnpName, acnp) - acnpNotFound := apierrors.IsNotFound(err) - if err != nil && !acnpNotFound { - return ctrl.Result{}, err - } - if !acnpNotFound { - if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; !ok { - err := errors.New("unable to import Antrea ClusterNetworkPolicy which conflicts with existing one") - klog.ErrorS(err, "", "acnp", klog.KObj(acnp)) - return ctrl.Result{}, err - } - } - acnpObj := getMCAntreaClusterPolicy(resImp) - tierKind, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier - err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierKind) - tierNotFound := apierrors.IsNotFound(err) - if !tierNotFound { - if acnpNotFound { - if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { - klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err - } - } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { - acnp.Spec = acnpObj.Spec - if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err - } - } - } else if tierNotFound && !acnpNotFound { - if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { - klog.ErrorS(err, "failed to delete imported Antrea ClusterNetworkPolicy that no longer have a valid Tier for the current cluster", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err - } - } - acnpImp := &multiclusterv1alpha1.ACNPImport{} - err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) - acnpImpNotFound := apierrors.IsNotFound(err) - if err != nil && !acnpImpNotFound { - klog.ErrorS(err, "failed to get existing ACNPImports") - return ctrl.Result{}, err - } - acnpImpObj := getACNPImport(resImp, tierNotFound) - if acnpImpNotFound { - err := r.localClusterClient.Create(ctx, acnpImpObj, &client.CreateOptions{}) - if err != nil { - klog.ErrorS(err, "failed to create ACNPImport", "acnpimport", klog.KObj(acnpImpObj)) - return ctrl.Result{}, err - } - r.installedResImports.Add(*resImp) - } - patchACNPImportStatus := false - if len(acnpImp.Status.Conditions) == 0 { - acnpImp.Status = acnpImpObj.Status - patchACNPImportStatus = true - } else { - if acnpImp.Status.Conditions[0].Status != acnpImpObj.Status.Conditions[0].Status { - acnpImp.Status = acnpImpObj.Status - patchACNPImportStatus = true - } - } - if patchACNPImportStatus { - if err := r.localClusterClient.Status().Update(ctx, acnpImp); err != nil { - klog.ErrorS(err, "failed to update acnpImport status", "acnpImport", klog.KObj(acnpImp)) - } - } - return ctrl.Result{}, nil -} - -func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { - acnpImpName := types.NamespacedName{ - Namespace: "", - Name: resImp.Spec.Name, - } - acnpName := types.NamespacedName{ - Namespace: "", - Name: common.AntreaMCSPrefix + resImp.Spec.Name, - } - klog.InfoS("Deleting ACNP and ACNPImport corresponding to ResourceImport", - "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - - var err error - cleanupACNPImport := func() (ctrl.Result, error) { - acnpImp := &multiclusterv1alpha1.ACNPImport{} - err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) - if err != nil { - return ctrl.Result{}, client.IgnoreNotFound(err) - } - err = r.localClusterClient.Delete(ctx, acnpImp, &client.DeleteOptions{}) - if err != nil { - return ctrl.Result{}, client.IgnoreNotFound(err) - } - return ctrl.Result{}, nil - } - - acnp := &v1alpha1.ClusterNetworkPolicy{} - err = r.localClusterClient.Get(ctx, acnpName, acnp) - if err != nil { - if apierrors.IsNotFound(err) { - klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", - "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - return cleanupACNPImport() - } - return ctrl.Result{}, err - } - err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}) - if err != nil { - return ctrl.Result{}, err - } - return cleanupACNPImport() -} - func getMCService(resImp *multiclusterv1alpha1.ResourceImport) *corev1.Service { - mcsPorts := []corev1.ServicePort{} + var mcsPorts []corev1.ServicePort for _, p := range resImp.Spec.ServiceImport.Spec.Ports { mcsPorts = append(mcsPorts, corev1.ServicePort{ Name: p.Name, @@ -513,57 +387,6 @@ func getMCServiceImport(resImp *multiclusterv1alpha1.ResourceImport, clusterID s return svcImp } -func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { - if resImp.Spec.ClusterNetworkPolicy == nil { - return nil - } - return &v1alpha1.ClusterNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: common.AntreaMCSPrefix + resImp.Spec.Name, - Annotations: map[string]string{ - common.AntreaMCACNPAnnotation: "true", - }, - }, - Spec: *resImp.Spec.ClusterNetworkPolicy, - } -} - -func getACNPImport(resImp *multiclusterv1alpha1.ResourceImport, tierNotFound bool) *multiclusterv1alpha1.ACNPImport { - if resImp.Spec.ClusterNetworkPolicy == nil { - return nil - } - return &multiclusterv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: resImp.Spec.Name, - }, - Status: multiclusterv1alpha1.ACNPImportStatus{ - Conditions: []multiclusterv1alpha1.ACNPImportCondition{ - getACNPImportStatus(tierNotFound), - }, - }, - } -} - -func getACNPImportStatus(tierNotFound bool) multiclusterv1alpha1.ACNPImportCondition { - tierNotFoundReason := "TierNotFound" - tierNotFoundMessage := "ACNP Tier does not exist in the importing cluster" - time := metav1.Now() - if tierNotFound { - return multiclusterv1alpha1.ACNPImportCondition{ - Type: multiclusterv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionFalse, - LastTransitionTime: &time, - Reason: &tierNotFoundReason, - Message: &tierNotFoundMessage, - } - } - return multiclusterv1alpha1.ACNPImportCondition{ - Type: multiclusterv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - LastTransitionTime: &time, - } -} - func removeLocalSubsets(local []corev1.EndpointSubset, allSubsets []corev1.EndpointSubset) []corev1.EndpointSubset { filteredLocal := common.FilterEndpointSubsets(local) size := len(allSubsets) diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go index 140a9988e6f..0e4619eb996 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller_test.go @@ -40,12 +40,10 @@ import ( ) var ( - localClusterID = "cluster-a" - leaderNamespace = "default" - svcResImportName = leaderNamespace + "-" + "nginx-service" - epResImportName = leaderNamespace + "-" + "nginx-endpoints" - acnpImportName = "acnp-for-isolation" - acnpResImportName = leaderNamespace + "-" + acnpImportName + localClusterID = "cluster-a" + leaderNamespace = "default" + svcResImportName = leaderNamespace + "-" + "nginx-service" + epResImportName = leaderNamespace + "-" + "nginx-endpoints" svcImportReq = ctrl.Request{NamespacedName: types.NamespacedName{ Namespace: leaderNamespace, @@ -55,14 +53,6 @@ var ( Namespace: leaderNamespace, Name: epResImportName, }} - acnpImpReq = ctrl.Request{NamespacedName: types.NamespacedName{ - Namespace: leaderNamespace, - Name: acnpResImportName, - }} - acnpImpNoMatchingTierReq = ctrl.Request{NamespacedName: types.NamespacedName{ - Namespace: leaderNamespace, - Name: "default-acnp-no-matching-tier", - }} ctx = context.Background() scheme = runtime.NewScheme() @@ -119,63 +109,6 @@ var ( }, }, } - allowAction = v1alpha1.RuleActionAllow - dropAction = v1alpha1.RuleActionDrop - securityOpsTier = &v1alpha1.Tier{ - ObjectMeta: metav1.ObjectMeta{ - Name: "securityops", - }, - Spec: v1alpha1.TierSpec{ - Priority: int32(100), - Description: "[READ-ONLY]: System generated SecurityOps Tier", - }, - } - acnpResImport = &mcsv1alpha1.ResourceImport{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: leaderNamespace, - Name: acnpResImportName, - }, - Spec: mcsv1alpha1.ResourceImportSpec{ - Name: acnpImportName, - Kind: common.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ - Tier: "securityops", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - Ingress: []v1alpha1.Rule{ - { - Action: &dropAction, - From: []v1alpha1.NetworkPolicyPeer{ - { - Namespaces: &v1alpha1.PeerNamespaces{ - Match: v1alpha1.NamespaceMatchSelf, - }, - }, - }, - }, - }, - }, - }, - } - acnpResImportNoMatchingTier = &mcsv1alpha1.ResourceImport{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: leaderNamespace, - Name: "default-acnp-no-matching-tier", - }, - Spec: mcsv1alpha1.ResourceImportSpec{ - Name: "acnp-no-matching-tier", - Kind: common.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ - Tier: "somerandomtier", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - }, - }, - } ) func init() { @@ -240,68 +173,6 @@ func TestResourceImportReconciler_handleCreateEvent(t *testing.T) { } } -func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { - remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) - go remoteMgr.Start() - defer remoteMgr.Stop() - - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(securityOpsTier).Build() - fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, acnpResImportNoMatchingTier).Build() - remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") - - tests := []struct { - name string - acnpImportName string - req ctrl.Request - expectedSuccess bool - }{ - { - name: "import ACNP of pre-defined tiers", - acnpImportName: acnpImportName, - req: acnpImpReq, - expectedSuccess: true, - }, - { - name: "import ACNP of non-existing tier", - acnpImportName: "acnp-no-matching-tier", - req: acnpImpNoMatchingTierReq, - expectedSuccess: false, - }, - } - r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if _, err := r.Reconcile(ctx, tt.req); err != nil { - if err != nil { - t.Errorf("ResourceImport Reconciler should handle ACNP create event successfully but got error = %v", err) - } - } else { - acnp := &v1alpha1.ClusterNetworkPolicy{} - err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) - if tt.expectedSuccess && err != nil { - t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) - } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { - t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) - } - acnpImport := &mcsv1alpha1.ACNPImport{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tt.acnpImportName}, acnpImport); err != nil { - t.Errorf("ResourceImport Reconciler should create ACNPImport for ACNP type resouc") - } - status := acnpImport.Status.Conditions - if len(status) > 0 && status[0].Type == mcsv1alpha1.ACNPImportRealizable { - if tt.expectedSuccess && status[0].Status != corev1.ConditionTrue { - t.Errorf("ACNPImport %v realizable status should be True but is %v instead", acnpImportName, status[0].Status) - } else if !tt.expectedSuccess && status[0].Status != corev1.ConditionFalse { - t.Errorf("ACNPImport %v realizable status should be False but is %v instead", acnpImportName, status[0].Status) - } - } else { - t.Errorf("No realizable status provided for ACNPImport %v", acnpImportName) - } - } - }) - } -} - func TestResourceImportReconciler_handleDeleteEvent(t *testing.T) { remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -376,42 +247,6 @@ func TestResourceImportReconciler_handleDeleteEvent(t *testing.T) { } } -func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { - remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) - go remoteMgr.Start() - defer remoteMgr.Stop() - - existingACNP := &v1alpha1.ClusterNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: common.AntreaMCSPrefix + acnpImportName, - }, - } - existingACNPImport := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: acnpImportName, - }, - } - - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP, existingACNPImport).Build() - fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() - remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") - - r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) - r.installedResImports.Add(*acnpResImport) - - if _, err := r.Reconcile(ctx, acnpImpReq); err != nil { - t.Errorf("ResourceImport Reconciler should handle ACNP ResourceImport delete event successfully but got error = %v", err) - } - acnp := &v1alpha1.ClusterNetworkPolicy{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { - t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) - } - acnpImport := &mcsv1alpha1.ACNPImport{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: acnpImportName}, acnpImport); !apierrors.IsNotFound(err) { - t.Errorf("ResourceImport Reconciler should delete ACNPImport successfully but got error = %v", err) - } -} - func TestResourceImportReconciler_handleUpdateEvent(t *testing.T) { remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -662,219 +497,6 @@ func TestResourceImportReconciler_handleUpdateEvent(t *testing.T) { } } -func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { - remoteMgr := NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) - go remoteMgr.Start() - defer remoteMgr.Stop() - - existingACNP1 := &v1alpha1.ClusterNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: common.AntreaMCSPrefix + acnpImportName, - Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, - }, - Spec: v1alpha1.ClusterNetworkPolicySpec{ - Tier: "securityops", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - Ingress: []v1alpha1.Rule{ - { - Action: &allowAction, - From: []v1alpha1.NetworkPolicyPeer{ - { - Namespaces: &v1alpha1.PeerNamespaces{ - Match: v1alpha1.NamespaceMatchSelf, - }, - }, - }, - }, - }, - }, - } - existingACNPImport1 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: acnpImportName, - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - }, - }, - }, - } - existingACNPImport2 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: "acnp-no-matching-tier", - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionFalse, - }, - }, - }, - } - updatedResImport2 := &mcsv1alpha1.ResourceImport{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: leaderNamespace, - Name: "default-acnp-no-matching-tier", - }, - Spec: mcsv1alpha1.ResourceImportSpec{ - Name: "acnp-no-matching-tier", - Kind: common.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ - Tier: "securityops", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - }, - }, - } - existingACNP3 := &v1alpha1.ClusterNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: common.AntreaMCSPrefix + "valid-updated-to-no-valid", - Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, - }, - Spec: v1alpha1.ClusterNetworkPolicySpec{ - Tier: "securityops", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - }, - } - existingACNPImport3 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: "valid-updated-to-no-valid", - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - }, - }, - }, - } - updatedResImport3 := &mcsv1alpha1.ResourceImport{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: leaderNamespace, - Name: "default-valid-updated-to-no-valid", - }, - Spec: mcsv1alpha1.ResourceImportSpec{ - Name: acnpImportName, - Kind: common.AntreaClusterNetworkPolicyKind, - ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ - Tier: "somerandomtier", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - }, - }, - } - acnpImp3Req := ctrl.Request{NamespacedName: types.NamespacedName{ - Namespace: leaderNamespace, - Name: "default-valid-updated-to-no-valid", - }} - acnpImp4Req := ctrl.Request{NamespacedName: types.NamespacedName{ - Namespace: leaderNamespace, - Name: "default-name-conflict", - }} - existingACNP4 := &v1alpha1.ClusterNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: common.AntreaMCSPrefix + "name-conflict", - }, - Spec: v1alpha1.ClusterNetworkPolicySpec{ - Tier: "securityops", - Priority: 1.0, - AppliedTo: []v1alpha1.NetworkPolicyPeer{ - {NamespaceSelector: &metav1.LabelSelector{}}, - }, - }, - } - - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNPImport1, existingACNPImport2, - existingACNP3, existingACNPImport3, existingACNP4, securityOpsTier).Build() - fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() - remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") - - r := NewResourceImportReconciler(fakeClient, scheme, fakeClient, localClusterID, remoteCluster) - r.installedResImports.Add(*acnpResImport) - r.installedResImports.Add(*acnpResImportNoMatchingTier) - r.installedResImports.Add(*updatedResImport3) - - tests := []struct { - name string - acnpImportName string - req ctrl.Request - expectErr bool - expectImportSuccess bool - expectedUpdatedACNPSpec *v1alpha1.ClusterNetworkPolicySpec - }{ - { - name: "update acnp spec", - acnpImportName: acnpImportName, - req: acnpImpReq, - expectErr: false, - expectImportSuccess: true, - expectedUpdatedACNPSpec: acnpResImport.Spec.ClusterNetworkPolicy, - }, - { - name: "imported acnp missing tier update to valid tier", - acnpImportName: "acnp-no-matching-tier", - req: acnpImpNoMatchingTierReq, - expectErr: false, - expectImportSuccess: true, - expectedUpdatedACNPSpec: updatedResImport2.Spec.ClusterNetworkPolicy, - }, - { - name: "valid imported acnp update to missing tier", - req: acnpImp3Req, - acnpImportName: "valid-updated-to-no-valid", - expectErr: false, - expectImportSuccess: false, - expectedUpdatedACNPSpec: nil, - }, - { - name: "name conflict with existing acnp", - req: acnpImp4Req, - acnpImportName: "name-conflict", - expectErr: true, - expectImportSuccess: false, - expectedUpdatedACNPSpec: nil, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if _, err := r.Reconcile(ctx, tt.req); err != nil { - if tt.expectErr { - assert.Contains(t, err.Error(), "conflicts with existing one") - } else { - t.Errorf("ResourceImport Reconciler should handle update event successfully but got error = %v", err) - } - } else { - if tt.expectedUpdatedACNPSpec != nil { - acnp := &v1alpha1.ClusterNetworkPolicy{} - err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + tt.acnpImportName}, acnp) - if tt.expectImportSuccess && err != nil { - t.Errorf("ResourceImport Reconciler should import an ACNP successfully but got error = %v", err) - } else if !tt.expectImportSuccess && (err == nil || !apierrors.IsNotFound(err)) { - t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) - } else if !reflect.DeepEqual(acnp.Spec, *tt.expectedUpdatedACNPSpec) { - t.Errorf("ACNP spec was not updated successfully") - } - } - } - }) - } -} - func checkAnnotation(t *testing.T, svcImport *k8smcsapi.ServiceImport) { id, ok := svcImport.Annotations[common.AntreaMCClusterIDAnnotation] if id != localClusterID || !ok { diff --git a/multicluster/controllers/multicluster/resourceexport_controller.go b/multicluster/controllers/multicluster/resourceexport_controller.go index ad03e96848e..73bbcd438b4 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller.go +++ b/multicluster/controllers/multicluster/resourceexport_controller.go @@ -74,7 +74,7 @@ func NewResourceExportReconciler( // Reconcile will process all kinds of ResourceExport. Service and Endpoint kinds of ResourceExport // will be handled in this file, and all other kinds will have their own handler files, eg: newkind_handler.go func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - klog.V(2).InfoS("reconciling ResourceExport", "resourceexport", req.NamespacedName) + klog.V(2).InfoS("Reconciling ResourceExport", "resourceexport", req.NamespacedName) var resExport mcsv1alpha1.ResourceExport if err := r.Client.Get(ctx, req.NamespacedName, &resExport); err != nil { return ctrl.Result{}, client.IgnoreNotFound(err) @@ -132,13 +132,13 @@ func (r *ResourceExportReconciler) Reconcile(ctx context.Context, req ctrl.Reque if createResImport { if err = r.Client.Create(ctx, resImport, &client.CreateOptions{}); err != nil { - klog.ErrorS(err, "failed to create ResourceImport", "resourceimport", resImportName.String()) + klog.ErrorS(err, "Failed to create ResourceImport", "resourceimport", resImportName.String()) return ctrl.Result{}, err } r.updateResourceExportStatus(&resExport, succeed) - klog.InfoS("create ResourceImport successfully", "resourceimport", resImportName.String()) + klog.InfoS("Create ResourceImport successfully", "resourceimport", resImportName.String()) } else if changed { - klog.InfoS("update ResourceImport for ResoureExport", "resourceimport", resImportName.String(), "resourceexport", req.NamespacedName) + klog.InfoS("Update ResourceImport for ResoureExport", "resourceimport", resImportName.String(), "resourceexport", req.NamespacedName) if err = r.handleUpdateEvent(ctx, resImport, &resExport); err != nil { return ctrl.Result{}, err } @@ -161,13 +161,13 @@ func (r *ResourceExportReconciler) handleUpdateEvent(ctx context.Context, var err error if err = r.Client.Update(ctx, resImport, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update ResourceImport", "resourceimport", resImpName.String()) + klog.ErrorS(err, "Failed to update ResourceImport", "resourceimport", resImpName.String()) return err } latestResImport := &mcsv1alpha1.ResourceImport{} err = r.Client.Get(ctx, resImpName, latestResImport) if err != nil { - klog.ErrorS(err, "failed to get latest ResourceImport", "resourceimport", resImpName.String()) + klog.ErrorS(err, "Failed to get latest ResourceImport", "resourceimport", resImpName.String()) return err } @@ -192,7 +192,7 @@ func (r *ResourceExportReconciler) handleUpdateEvent(ctx context.Context, latestResImport.Status.ClusterStatuses = append(latestResImport.Status.ClusterStatuses, newStatus) } if err := r.Client.Status().Update(ctx, latestResImport, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update ResourceImport Status", "resourceimport", resImpName.String()) + klog.ErrorS(err, "Failed to update ResourceImport Status", "resourceimport", resImpName.String()) return err } return nil @@ -208,7 +208,7 @@ func (r *ResourceExportReconciler) handleDeleteEvent(ctx context.Context, resExp return err } resImportName := GetResourceImportName(resExport) - klog.Infof("There is resImport to delete named %s", resImportName) + klog.V(2).InfoS("Deleting ResourceImport created by ResourceExport", "resourceimport", resImportName.String(), "resourceexport", resExport.Name) undeleteItems := RemoveDeletedResourceExports(reList.Items) if len(undeleteItems) == 0 { @@ -227,7 +227,7 @@ func (r *ResourceExportReconciler) handleDeleteEvent(ctx context.Context, resExp func (r *ResourceExportReconciler) cleanUpResourceImport(ctx context.Context, resImp types.NamespacedName, re interface{}) error { - klog.InfoS("cleanup ResourceImport", "resourceimport", resImp.String()) + klog.InfoS("Cleaning up ResourceImport", "resourceimport", resImp.String()) resImport := &mcsv1alpha1.ResourceImport{ObjectMeta: metav1.ObjectMeta{ Name: resImp.Name, Namespace: resImp.Namespace, @@ -241,7 +241,7 @@ func (r *ResourceExportReconciler) updateEndpointResourceImport(ctx context.Cont resImport := &mcsv1alpha1.ResourceImport{} err := r.Client.Get(ctx, resImpName, resImport) if err != nil { - klog.ErrorS(err, "failed to get ResourceImport", "resourceimport", resImpName) + klog.ErrorS(err, "Failed to get ResourceImport", "resourceimport", resImpName) return client.IgnoreNotFound(err) } newResImport, changed, err := r.refreshEndpointsResourceImport(existRe, resImport, false) @@ -267,7 +267,7 @@ func (r *ResourceExportReconciler) getExistingResImport(ctx context.Context, err := r.Client.Get(ctx, resImportName, existResImport) if err != nil { if !apierrors.IsNotFound(err) { - klog.ErrorS(err, "failed to get ResourceImport", "resourceimport", resImportName.String()) + klog.ErrorS(err, "Failed to get ResourceImport", "resourceimport", resImportName.String()) return createResImport, nil, err } existResImport = &mcsv1alpha1.ResourceImport{ @@ -310,7 +310,7 @@ func (r *ResourceExportReconciler) refreshServiceResourceImport( if !apiequality.Semantic.DeepEqual(newResImport.Spec.ServiceImport.Spec.Ports, convertedPorts) { undeletedItems, err := r.getNotDeletedResourceExports(resExport) if err != nil { - klog.ErrorS(err, "failed to list ResourceExports, retry later") + klog.ErrorS(err, "Failed to list ResourceExports, retry later") return newResImport, false, err } // When there is only one Service ResourceExport, ResourceImport should reflect the change @@ -369,7 +369,7 @@ func (r *ResourceExportReconciler) refreshEndpointsResourceImport( return newResImport, true, nil } // check all matched Endpoints ResourceExport and generate a new EndpointSubset - newSubsets := []corev1.EndpointSubset{} + var newSubsets []corev1.EndpointSubset undeleteItems, err := r.getNotDeletedResourceExports(resExport) if err != nil { klog.ErrorS(err, "failed to list ResourceExports, retry later") @@ -423,7 +423,7 @@ func (r *ResourceExportReconciler) getNotDeletedResourceExports(resExport *mcsv1 } func (r *ResourceExportReconciler) updateResourceExportStatus(resExport *mcsv1alpha1.ResourceExport, res resReason) { - newConditions := []mcsv1alpha1.ResourceExportCondition{} + var newConditions []mcsv1alpha1.ResourceExportCondition switch res { case succeed: newConditions = []mcsv1alpha1.ResourceExportCondition{ @@ -519,7 +519,7 @@ func GetResourceImportName(resExport *mcsv1alpha1.ResourceExport) types.Namespac // RemoveDeletedResourceExports remove any ResourceExports with non-zero DeletionTimestamp // which is actually deleted object. func RemoveDeletedResourceExports(items []mcsv1alpha1.ResourceExport) []mcsv1alpha1.ResourceExport { - undeleteItems := []mcsv1alpha1.ResourceExport{} + var undeleteItems []mcsv1alpha1.ResourceExport for _, i := range items { if i.DeletionTimestamp.IsZero() { undeleteItems = append(undeleteItems, i) From 6ebe48c3f024e31fa9ee9651b994e14dd8e879ef Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Mon, 7 Mar 2022 21:11:38 -0800 Subject: [PATCH 4/7] Add documentation Signed-off-by: Yang Ding --- docs/multicluster/architecture.md | 51 ++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/docs/multicluster/architecture.md b/docs/multicluster/architecture.md index 0dc7869288f..66d09007b95 100644 --- a/docs/multicluster/architecture.md +++ b/docs/multicluster/architecture.md @@ -26,7 +26,8 @@ The MemberClusterAnnounce CRD declares a member cluster configuration to the lea The Common Area is an abstraction in the Antrea Multi-cluster implementation provides a storage interface for resource export/import that can be read/written by all member and leader clusters -in the ClusterSet. The Common Area is implemented with a Namespace in the leader cluster +in the ClusterSet. The Common Area is implemented with a Namespace in the leader cluster for a +given ClusterSet. ## Antrea Multi-cluster Controller @@ -88,3 +89,51 @@ The Service Ports definition will be the same as exported Services, the Endpoint IPs from all member clusters. The new created Antrea Multi-cluster Service is just like a regular Kubernetes Service, so Pods in a member cluster can access the multi-cluster Service as usual without any extra setting. + +## Multi-cluster ClusterNetworkPolicy Replication (ACNP Copy-span) + +Antrea Multi-cluster admins can specify certain ClusterNetworkPolicies to be replicated across +the entire ClusterSet. This is especially useful for ClusterSet admins who want all clusters in the +ClusterSet to be applied with a consistent security posture (for example, all namespaces in all +clusters can only communicate with Pods in their own namespaces). For more information regarding +Antrea ClusterNetworkPolicy(ACNP), refer to [this document](../antrea-network-policy.md). + +To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment, +create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains the ClusterNetworkPolicy spec +they wish to be replicated. The ResourceExport should be created in the Namespace which implements the +Common Area of the ClusterSet. In future releases, some additional tooling may become available to +automate the creation of such ResourceExport and make ACNP replication across cluster eaiser. + +```yaml +apiVersion: multicluster.crd.antrea.io/v1alpha1 +kind: ResourceExport +metadata: + name: strict-namespace-isolation-for-test-clusterset + namespace: antrea-mcs-ns # Namespace that implements Common Area of test-clusterset +spec: + kind: AntreaClusterNetworkPolicy + name: strict-namespace-isolation # In each importing cluster, an ACNP of name antrea-mc-strict-namespace-isolation will be created with the spec below + clusternetworkpolicy: + priority: 1 + tier: securityops + appliedTo: + - namespaceSelector: {} # Selects all Namespaces in the member cluster + ingress: + - action: Pass + from: + - namespaces: + match: Self # Skip drop rule for traffic from Pods in the same Namespace + - podSelector: + matchLabels: + k8s-app: kube-dns # Skip drop rule for traffic from the core-dns components + - action: Drop + from: + - namespaceSelector: {} # Drop from Pods from all other Namespaces +``` + +The above sample spec will create an ACNP in each member cluster which implements strict namespace +isolation for that cluster. + +Note that because the Tier that an ACNP refers to must exist before the ACNP is applied, an importing +cluster may fail to create the ACNP to be replicated, if the tier in the ResourceExport spec cannot be +found in that particular cluster. From 7407dc51f50acfda9d86d7d4444e30e7e3bba29c Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Fri, 4 Mar 2022 13:25:09 -0800 Subject: [PATCH 5/7] Use events for acnp import status report Signed-off-by: Yang Ding --- docs/multicluster/architecture.md | 44 +- .../apis/multicluster/v1alpha1/acnpimport.go | 80 - .../v1alpha1/zz_generated.deepcopy.go | 109 - .../antrea-multicluster-leader-global.yml | 2459 ++++++++++++---- .../antrea-multicluster-leader-namespaced.yml | 46 +- .../yamls/antrea-multicluster-member.yml | 2485 +++++++++++++---- ...ulticluster.crd.antrea.io_acnpimports.yaml | 77 - ...cluster.crd.antrea.io_resourceexports.yaml | 86 +- ...cluster.crd.antrea.io_resourceimports.yaml | 86 +- multicluster/config/crd/kustomization.yaml | 1 - .../leader-ns/member_cluster_role.yaml | 10 + multicluster/config/rbac/role.yaml | 26 +- ...r.go => acnp_resourceimport_controller.go} | 155 +- ...=> acnp_resourceimport_controller_test.go} | 69 +- .../commonarea/resourceimport_controller.go | 3 +- .../typed/multicluster/v1alpha1/acnpimport.go | 183 -- .../v1alpha1/fake/fake_acnpimport.go | 132 - .../v1alpha1/fake/fake_multicluster_client.go | 4 - .../v1alpha1/generated_expansion.go | 2 - .../v1alpha1/multicluster_client.go | 5 - .../informers/externalversions/generic.go | 2 - .../multicluster/v1alpha1/acnpimport.go | 88 - .../multicluster/v1alpha1/interface.go | 7 - .../multicluster/v1alpha1/acnpimport.go | 67 - .../v1alpha1/expansion_generated.go | 4 - 25 files changed, 4132 insertions(+), 2098 deletions(-) delete mode 100644 multicluster/apis/multicluster/v1alpha1/acnpimport.go delete mode 100644 multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml rename multicluster/controllers/multicluster/commonarea/{acnpimport_controller.go => acnp_resourceimport_controller.go} (57%) rename multicluster/controllers/multicluster/commonarea/{acnpimport_controller_test.go => acnp_resourceimport_controller_test.go} (83%) delete mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go delete mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go delete mode 100644 multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go delete mode 100644 multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go diff --git a/docs/multicluster/architecture.md b/docs/multicluster/architecture.md index 66d09007b95..ed4726ebe75 100644 --- a/docs/multicluster/architecture.md +++ b/docs/multicluster/architecture.md @@ -98,7 +98,7 @@ ClusterSet to be applied with a consistent security posture (for example, all na clusters can only communicate with Pods in their own namespaces). For more information regarding Antrea ClusterNetworkPolicy(ACNP), refer to [this document](../antrea-network-policy.md). -To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment, +To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment, create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains the ClusterNetworkPolicy spec they wish to be replicated. The ResourceExport should be created in the Namespace which implements the Common Area of the ClusterSet. In future releases, some additional tooling may become available to @@ -132,8 +132,46 @@ spec: ``` The above sample spec will create an ACNP in each member cluster which implements strict namespace -isolation for that cluster. +isolation for that cluster. Note that because the Tier that an ACNP refers to must exist before the ACNP is applied, an importing cluster may fail to create the ACNP to be replicated, if the tier in the ResourceExport spec cannot be -found in that particular cluster. +found in that particular cluster. The ACNP creation status of each member cluster will be reported back +to the Common Area as K8s Events, and can be checked by describing the ResourceImport of the original +ResourceExport: + +```text +kubectl describe resourceimport -A +--- +Name: strict-namespace-isolation-antreaclusternetworkpolicy +Namespace: antrea-mcs-ns +API Version: multicluster.crd.antrea.io/v1alpha1 +Kind: ResourceImport +Spec: + Clusternetworkpolicy: + Applied To: + Namespace Selector: + Ingress: + Action: Pass + Enable Logging: false + From: + Namespaces: + Match: Self + Pod Selector: + Match Labels: + k8s-app: kube-dns + Action: Drop + Enable Logging: false + From: + Namespace Selector: + Priority: 1 + Tier: random + Kind: AntreaClusterNetworkPolicy + Name: strict-namespace-isolation + ... +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ACNPImportSucceeded 2m11s resourceimport-controller ACNP successfully created in the importing cluster test-cluster-east + Warning ACNPImportFailed 2m11s resourceimport-controller ACNP Tier does not exist in the importing cluster test-cluster-west +``` diff --git a/multicluster/apis/multicluster/v1alpha1/acnpimport.go b/multicluster/apis/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index 479455326b2..00000000000 --- a/multicluster/apis/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,80 +0,0 @@ -/* -Copyright 2022 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +genclient -// +genclient:nonNamespaced -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=acnpimports,scope=Cluster -// +kubebuilder:subresource:status -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. -type ACNPImport struct { - metav1.TypeMeta `json:",inline"` - // +optional - metav1.ObjectMeta `json:"metadata,omitempty"` - // +optional - Status ACNPImportStatus `json:"status,omitempty"` -} - -// +kubebuilder:object:root=true -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ACNPImportList contains a list of ACNPImport. -type ACNPImportList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []ACNPImport `json:"items"` -} - -type ACNPImportStatus struct { - // +optional - // +patchStrategy=merge - // +patchMergeKey=type - // +listType=map - // +listMapKey=type - Conditions []ACNPImportCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` -} - -type ACNPImportConditionType string - -const ( - ACNPImportRealizable ACNPImportConditionType = "Realizable" -) - -type ACNPImportCondition struct { - Type ACNPImportConditionType `json:"type"` - // Status is one of {"True", "False", "Unknown"} - // +kubebuilder:validation:Enum=True;False;Unknown - Status v1.ConditionStatus `json:"status"` - // +optional - LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` - // +optional - Reason *string `json:"reason,omitempty"` - // +optional - Message *string `json:"message,omitempty"` -} - -func init() { - SchemeBuilder.Register(&ACNPImport{}, &ACNPImportList{}) -} diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go index f6b81169c62..1811af33287 100644 --- a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go +++ b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go @@ -28,115 +28,6 @@ import ( apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImport) DeepCopyInto(out *ACNPImport) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImport. -func (in *ACNPImport) DeepCopy() *ACNPImport { - if in == nil { - return nil - } - out := new(ACNPImport) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ACNPImport) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImportCondition) DeepCopyInto(out *ACNPImportCondition) { - *out = *in - if in.LastTransitionTime != nil { - in, out := &in.LastTransitionTime, &out.LastTransitionTime - *out = (*in).DeepCopy() - } - if in.Reason != nil { - in, out := &in.Reason, &out.Reason - *out = new(string) - **out = **in - } - if in.Message != nil { - in, out := &in.Message, &out.Message - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportCondition. -func (in *ACNPImportCondition) DeepCopy() *ACNPImportCondition { - if in == nil { - return nil - } - out := new(ACNPImportCondition) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImportList) DeepCopyInto(out *ACNPImportList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]ACNPImport, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportList. -func (in *ACNPImportList) DeepCopy() *ACNPImportList { - if in == nil { - return nil - } - out := new(ACNPImportList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ACNPImportList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImportStatus) DeepCopyInto(out *ACNPImportStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]ACNPImportCondition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportStatus. -func (in *ACNPImportStatus) DeepCopy() *ACNPImportStatus { - if in == nil { - return nil - } - out := new(ACNPImportStatus) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterClaim) DeepCopyInto(out *ClusterClaim) { *out = *in diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index 7d5e726c0ba..fc35c73efc8 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -1,78 +1,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - labels: - app: antrea - name: acnpimports.multicluster.crd.antrea.io -spec: - group: multicluster.crd.antrea.io - names: - kind: ACNPImport - listKind: ACNPImportList - plural: acnpimports - singular: acnpimport - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: Status is one of {"True", "False", "Unknown"} - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -453,26 +380,43 @@ spec: description: If exported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -484,40 +428,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -529,32 +504,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -566,40 +568,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -611,40 +651,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -656,32 +730,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -693,35 +796,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -733,40 +872,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -778,32 +951,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -815,56 +1017,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -876,40 +1124,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -921,32 +1203,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -958,24 +1269,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -983,34 +1311,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1022,40 +1374,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1067,32 +1453,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1104,35 +1519,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1144,40 +1595,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1189,32 +1674,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1226,56 +1740,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1287,40 +1847,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1332,32 +1926,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1369,24 +1992,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1394,10 +2034,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority @@ -2159,26 +2805,43 @@ spec: description: If imported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2190,40 +2853,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2235,32 +2929,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2272,40 +2993,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2317,40 +3076,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2362,32 +3155,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2399,35 +3221,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2439,40 +3297,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2484,32 +3376,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2521,56 +3442,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2582,40 +3549,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2627,32 +3628,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2664,24 +3694,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -2689,34 +3736,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2728,40 +3799,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2773,32 +3878,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2810,35 +3944,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2850,40 +4020,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2895,32 +4099,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2932,56 +4165,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2993,40 +4272,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3038,32 +4351,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3075,24 +4417,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -3100,10 +4459,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index c9926188ad5..0d82029de18 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -36,19 +36,17 @@ rules: - apiGroups: - "" resources: - - services + - events verbs: - create - - delete - get - list - patch - update - - watch - apiGroups: - - crd.antrea.io + - "" resources: - - clusternetworkpolicies + - services verbs: - create - delete @@ -60,15 +58,7 @@ rules: - apiGroups: - crd.antrea.io resources: - - tiers - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.crd.antrea.io - resources: - - acnpimports + - clusternetworkpolicies verbs: - create - delete @@ -78,13 +68,13 @@ rules: - update - watch - apiGroups: - - multicluster.crd.antrea.io + - crd.antrea.io resources: - - acnpimports/status + - tiers verbs: - get - - patch - - update + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: @@ -356,6 +346,26 @@ metadata: name: antrea-mc-member-cluster-role namespace: changeme rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 496a9349703..68bf62344a4 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -1,78 +1,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - labels: - app: antrea - name: acnpimports.multicluster.crd.antrea.io -spec: - group: multicluster.crd.antrea.io - names: - kind: ACNPImport - listKind: ACNPImportList - plural: acnpimports - singular: acnpimport - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: Status is one of {"True", "False", "Unknown"} - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -453,26 +380,43 @@ spec: description: If exported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -484,40 +428,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -529,32 +504,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -566,40 +568,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -611,40 +651,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -656,32 +730,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -693,35 +796,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -733,40 +872,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -778,32 +951,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -815,56 +1017,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -876,40 +1124,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -921,32 +1203,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -958,24 +1269,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -983,34 +1311,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1022,40 +1374,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1067,32 +1453,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1104,35 +1519,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1144,40 +1595,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1189,32 +1674,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1226,56 +1740,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1287,40 +1847,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1332,32 +1926,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1369,24 +1992,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1394,10 +2034,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority @@ -2159,26 +2805,43 @@ spec: description: If imported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2190,40 +2853,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2235,32 +2929,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2272,40 +2993,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2317,40 +3076,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2362,32 +3155,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2399,35 +3221,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2439,40 +3297,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2484,32 +3376,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2521,56 +3442,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2582,40 +3549,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2627,32 +3628,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2664,24 +3694,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -2689,34 +3736,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2728,40 +3799,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2773,32 +3878,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2810,35 +3944,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2850,40 +4020,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2895,32 +4099,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2932,56 +4165,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2993,40 +4272,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3038,32 +4351,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3075,24 +4417,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -3100,10 +4459,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority @@ -3914,19 +5279,17 @@ rules: - apiGroups: - "" resources: - - services + - events verbs: - create - - delete - get - list - patch - update - - watch - apiGroups: - - crd.antrea.io + - "" resources: - - clusternetworkpolicies + - services verbs: - create - delete @@ -3938,15 +5301,7 @@ rules: - apiGroups: - crd.antrea.io resources: - - tiers - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.crd.antrea.io - resources: - - acnpimports + - clusternetworkpolicies verbs: - create - delete @@ -3956,13 +5311,13 @@ rules: - update - watch - apiGroups: - - multicluster.crd.antrea.io + - crd.antrea.io resources: - - acnpimports/status + - tiers verbs: - get - - patch - - update + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml deleted file mode 100644 index 7821d2e745a..00000000000 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml +++ /dev/null @@ -1,77 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - name: acnpimports.multicluster.crd.antrea.io -spec: - group: multicluster.crd.antrea.io - names: - kind: ACNPImport - listKind: ACNPImportList - plural: acnpimports - singular: acnpimport - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ACNPImport describes an ACNP imported from the leader cluster - in a ClusterSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: Status is one of {"True", "False", "Unknown"} - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index 7539481a70a..32993f38ba1 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -239,6 +239,16 @@ spec: contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: @@ -458,6 +468,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -669,6 +689,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -911,6 +941,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -921,17 +961,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1155,6 +1191,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -1366,6 +1412,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -1608,6 +1664,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -1618,17 +1684,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index ef9b9827319..8790288ea66 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -241,6 +241,16 @@ spec: contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: @@ -460,6 +470,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -671,6 +691,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -913,6 +943,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -923,17 +963,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1157,6 +1193,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -1368,6 +1414,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -1610,6 +1666,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -1620,17 +1686,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: diff --git a/multicluster/config/crd/kustomization.yaml b/multicluster/config/crd/kustomization.yaml index 87c307449eb..7f77de35ec8 100644 --- a/multicluster/config/crd/kustomization.yaml +++ b/multicluster/config/crd/kustomization.yaml @@ -9,7 +9,6 @@ resources: - bases/multicluster.crd.antrea.io_resourceimportfilters.yaml - bases/multicluster.crd.antrea.io_resourceexports.yaml - bases/multicluster.crd.antrea.io_resourceimports.yaml -- bases/multicluster.crd.antrea.io_acnpimports.yaml - k8smcs/multicluster.x-k8s.io_serviceexports.yaml - k8smcs/multicluster.x-k8s.io_serviceimports.yaml #+kubebuilder:scaffold:crdkustomizeresource diff --git a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml index 66201435698..0357f3f2131 100644 --- a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml +++ b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml @@ -6,6 +6,16 @@ metadata: name: member-cluster-role namespace: changeme rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/config/rbac/role.yaml b/multicluster/config/rbac/role.yaml index 2f69305e473..d471b756f65 100644 --- a/multicluster/config/rbac/role.yaml +++ b/multicluster/config/rbac/role.yaml @@ -21,19 +21,17 @@ rules: - apiGroups: - "" resources: - - services + - events verbs: - create - - delete - get - list - patch - update - - watch - apiGroups: - - crd.antrea.io + - "" resources: - - clusternetworkpolicies + - services verbs: - create - delete @@ -45,15 +43,7 @@ rules: - apiGroups: - crd.antrea.io resources: - - tiers - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.crd.antrea.io - resources: - - acnpimports + - clusternetworkpolicies verbs: - create - delete @@ -63,13 +53,13 @@ rules: - update - watch - apiGroups: - - multicluster.crd.antrea.io + - crd.antrea.io resources: - - acnpimports/status + - tiers verbs: - get - - patch - - update + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go similarity index 57% rename from multicluster/controllers/multicluster/commonarea/acnpimport_controller.go rename to multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go index 8134cead088..d8d09c7693a 100644 --- a/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go @@ -1,12 +1,9 @@ /* Copyright 2022 Antrea Authors. - Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -19,6 +16,7 @@ package commonarea import ( "context" "errors" + "math/rand" corev1 "k8s.io/api/core/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" @@ -34,16 +32,28 @@ import ( "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) +const ( + nameSuffixLength int = 5 + acnpImportStatusPrefix string = "acnp-import-status-" + acnpImportSucceeded string = "ACNPImportSucceeded" + acnpImportFailed string = "ACNPImportFailed" +) + +var ( + resourceImportAPIVersion = "multicluster.crd.antrea.io/v1alpha1" + resourceImportKind = "ResourceImport" + acnpEventReportingController = "resourceimport-controller" + // TODO(yang): add run-time pod suffix + acnpEventReportingInstance = "antrea-mc-controller" + lettersAndDigits = []rune("abcdefghijklmnopqrstuvwxyz0123456789") +) + func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { - acnpImpName := types.NamespacedName{ - Namespace: "", - Name: resImp.Spec.Name, - } acnpName := types.NamespacedName{ Namespace: "", Name: common.AntreaMCSPrefix + resImp.Spec.Name, } - klog.InfoS("Updating ACNP and ACNPImport corresponding to ResourceImport", + klog.InfoS("Updating ACNP corresponding to ResourceImport", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) acnp := &v1alpha1.ClusterNetworkPolicy{} @@ -86,85 +96,63 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx return ctrl.Result{}, err } } - acnpImp := &multiclusterv1alpha1.ACNPImport{} - err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) - acnpImpNotFound := apierrors.IsNotFound(err) - if err != nil && !acnpImpNotFound { - klog.ErrorS(err, "failed to get existing ACNPImports") - return ctrl.Result{}, err - } - // acnpImport status will be realizable=False if Tier is not found on this member cluster, and realizable=True otherwise. - acnpImpObj, isRealizable := getACNPImport(resImp, tierNotFound) - if acnpImpNotFound { - err := r.localClusterClient.Create(ctx, acnpImpObj, &client.CreateOptions{}) - if err != nil { - klog.ErrorS(err, "failed to create ACNPImport", "acnpimport", klog.KObj(acnpImpObj)) - return ctrl.Result{}, err - } - r.installedResImports.Add(*resImp) + + statusEvent := &corev1.Event{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(acnpImportStatusPrefix + r.localClusterID + "-"), + Namespace: resImp.Namespace, + }, + InvolvedObject: corev1.ObjectReference{ + APIVersion: resourceImportAPIVersion, + Kind: resourceImportKind, + Name: resImp.Name, + Namespace: resImp.Namespace, + UID: resImp.GetUID(), + }, + FirstTimestamp: metav1.Now(), + LastTimestamp: metav1.Now(), + ReportingController: acnpEventReportingController, + ReportingInstance: acnpEventReportingInstance, + Action: "reconciled", } - patchACNPImportStatus := false - if len(acnpImp.Status.Conditions) == 0 { - acnpImp.Status = acnpImpObj.Status - patchACNPImportStatus = true + if tierNotFound { + statusEvent.Type = corev1.EventTypeWarning + statusEvent.Reason = acnpImportFailed + statusEvent.Message = "ACNP Tier does not exist in the importing cluster " + r.localClusterID } else { - for _, c := range acnpImp.Status.Conditions { - if c.Type == multiclusterv1alpha1.ACNPImportRealizable && c.Status != isRealizable { - acnpImp.Status = acnpImpObj.Status - patchACNPImportStatus = true - } - } + statusEvent.Type = corev1.EventTypeNormal + statusEvent.Reason = acnpImportSucceeded + statusEvent.Message = "ACNP successfully created in the importing cluster " + r.localClusterID } - // Patch ACNPImport status if realizable state has changed. - if patchACNPImportStatus { - if err := r.localClusterClient.Status().Update(ctx, acnpImp); err != nil { - klog.ErrorS(err, "failed to update acnpImport status", "acnpImport", klog.KObj(acnpImp)) - } + if err = r.remoteCommonArea.Create(ctx, statusEvent, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "failed to create acnp import event for resourceimport", "resImp", klog.KObj(resImp)) + return ctrl.Result{}, err } return ctrl.Result{}, nil } func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { - acnpImpName := types.NamespacedName{ - Namespace: "", - Name: resImp.Spec.Name, - } acnpName := types.NamespacedName{ Namespace: "", Name: common.AntreaMCSPrefix + resImp.Spec.Name, } - klog.InfoS("Deleting ACNP and ACNPImport corresponding to ResourceImport", + klog.InfoS("Deleting ACNP corresponding to ResourceImport", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - var err error - cleanupACNPImport := func() (ctrl.Result, error) { - acnpImp := &multiclusterv1alpha1.ACNPImport{} - err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) - if err != nil { - return ctrl.Result{}, client.IgnoreNotFound(err) - } - err = r.localClusterClient.Delete(ctx, acnpImp, &client.DeleteOptions{}) - if err != nil { - return ctrl.Result{}, client.IgnoreNotFound(err) - } - return ctrl.Result{}, nil - } - acnp := &v1alpha1.ClusterNetworkPolicy{} - err = r.localClusterClient.Get(ctx, acnpName, acnp) + err := r.localClusterClient.Get(ctx, acnpName, acnp) if err != nil { if apierrors.IsNotFound(err) { klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - return cleanupACNPImport() + return ctrl.Result{}, nil } return ctrl.Result{}, err } - err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}) - if err != nil { + if err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}); err != nil { return ctrl.Result{}, err } - return cleanupACNPImport() + return ctrl.Result{}, nil } func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { @@ -182,37 +170,16 @@ func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1al } } -func getACNPImport(resImp *multiclusterv1alpha1.ResourceImport, tierNotFound bool) (*multiclusterv1alpha1.ACNPImport, corev1.ConditionStatus) { - if resImp.Spec.ClusterNetworkPolicy == nil { - return nil, corev1.ConditionFalse - } - status, isRealizable := getACNPImportStatus(tierNotFound) - return &multiclusterv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: resImp.Spec.Name, - }, - Status: multiclusterv1alpha1.ACNPImportStatus{ - Conditions: []multiclusterv1alpha1.ACNPImportCondition{status}, - }, - }, isRealizable +func randSeq(n int) string { + b := make([]rune, n) + for i := range b { + // #nosec G404: random number generator not used for security purposes + randIdx := rand.Intn(len(lettersAndDigits)) + b[i] = lettersAndDigits[randIdx] + } + return string(b) } -func getACNPImportStatus(tierNotFound bool) (multiclusterv1alpha1.ACNPImportCondition, corev1.ConditionStatus) { - tierNotFoundReason := "TierNotFound" - tierNotFoundMessage := "ACNP Tier does not exist in the importing cluster" - time := metav1.Now() - if tierNotFound { - return multiclusterv1alpha1.ACNPImportCondition{ - Type: multiclusterv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionFalse, - LastTransitionTime: &time, - Reason: &tierNotFoundReason, - Message: &tierNotFoundMessage, - }, corev1.ConditionFalse - } - return multiclusterv1alpha1.ACNPImportCondition{ - Type: multiclusterv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - LastTransitionTime: &time, - }, corev1.ConditionTrue +func randName(prefix string) string { + return prefix + randSeq(nameSuffixLength) } diff --git a/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go similarity index 83% rename from multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go rename to multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go index 8a9b7ed5eef..9304c2cfa95 100644 --- a/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go @@ -21,7 +21,6 @@ import ( "testing" "github.com/stretchr/testify/assert" - corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -148,20 +147,7 @@ func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) } - acnpImport := &mcsv1alpha1.ACNPImport{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tt.acnpImportName}, acnpImport); err != nil { - t.Errorf("ResourceImport Reconciler should create ACNPImport for ACNP type resouc") - } - status := acnpImport.Status.Conditions - if len(status) > 0 && status[0].Type == mcsv1alpha1.ACNPImportRealizable { - if tt.expectedSuccess && status[0].Status != corev1.ConditionTrue { - t.Errorf("ACNPImport %v realizable status should be True but is %v instead", acnpImportName, status[0].Status) - } else if !tt.expectedSuccess && status[0].Status != corev1.ConditionFalse { - t.Errorf("ACNPImport %v realizable status should be False but is %v instead", acnpImportName, status[0].Status) - } - } else { - t.Errorf("No realizable status provided for ACNPImport %v", acnpImportName) - } + //TODO(yang): add Event creation tests } }) } @@ -177,13 +163,8 @@ func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { Name: common.AntreaMCSPrefix + acnpImportName, }, } - existingACNPImport := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: acnpImportName, - }, - } - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP, existingACNPImport).Build() + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") @@ -197,10 +178,6 @@ func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) } - acnpImport := &mcsv1alpha1.ACNPImport{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: acnpImportName}, acnpImport); !apierrors.IsNotFound(err) { - t.Errorf("ResourceImport Reconciler should delete ACNPImport successfully but got error = %v", err) - } } func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { @@ -233,32 +210,6 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { }, }, } - existingACNPImport1 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: acnpImportName, - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - }, - }, - }, - } - existingACNPImport2 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: "acnp-no-matching-tier", - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionFalse, - }, - }, - }, - } updatedResImport2 := &mcsv1alpha1.ResourceImport{ ObjectMeta: metav1.ObjectMeta{ Namespace: leaderNamespace, @@ -289,19 +240,6 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { }, }, } - existingACNPImport3 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: "valid-updated-to-no-valid", - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - }, - }, - }, - } updatedResImport3 := &mcsv1alpha1.ResourceImport{ ObjectMeta: metav1.ObjectMeta{ Namespace: leaderNamespace, @@ -340,8 +278,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { }, } - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNPImport1, existingACNPImport2, - existingACNP3, existingACNPImport3, existingACNP4, securityOpsTier).Build() + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNP3, existingACNP4, securityOpsTier).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index 5bd849be1da..9d6b0c08abc 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -81,13 +81,12 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l //+kubebuilder:rbac:groups=crd.antrea.io,resources=tiers,verbs=get;list;watch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/finalizers,verbs=update //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch;update;create;patch;delete //+kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;create;patch;delete +//+kubebuilder:rbac:groups="",resources=events,verbs=get;list;update;create;patch // Reconcile will attempt to ensure that the imported Resource is installed in local cluster as per the // ResourceImport object. diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index c5359933c4b..00000000000 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,183 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - "time" - - v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - scheme "antrea.io/antrea/multicluster/pkg/client/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - rest "k8s.io/client-go/rest" -) - -// ACNPImportsGetter has a method to return a ACNPImportInterface. -// A group's client should implement this interface. -type ACNPImportsGetter interface { - ACNPImports() ACNPImportInterface -} - -// ACNPImportInterface has methods to work with ACNPImport resources. -type ACNPImportInterface interface { - Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (*v1alpha1.ACNPImport, error) - Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) - UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) - Delete(ctx context.Context, name string, opts v1.DeleteOptions) error - DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error - Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ACNPImport, error) - List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ACNPImportList, error) - Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) - Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) - ACNPImportExpansion -} - -// aCNPImports implements ACNPImportInterface -type aCNPImports struct { - client rest.Interface -} - -// newACNPImports returns a ACNPImports -func newACNPImports(c *MulticlusterV1alpha1Client) *aCNPImports { - return &aCNPImports{ - client: c.RESTClient(), - } -} - -// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. -func (c *aCNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Get(). - Resource("acnpimports"). - Name(name). - VersionedParams(&options, scheme.ParameterCodec). - Do(ctx). - Into(result) - return -} - -// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. -func (c *aCNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { - var timeout time.Duration - if opts.TimeoutSeconds != nil { - timeout = time.Duration(*opts.TimeoutSeconds) * time.Second - } - result = &v1alpha1.ACNPImportList{} - err = c.client.Get(). - Resource("acnpimports"). - VersionedParams(&opts, scheme.ParameterCodec). - Timeout(timeout). - Do(ctx). - Into(result) - return -} - -// Watch returns a watch.Interface that watches the requested aCNPImports. -func (c *aCNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - var timeout time.Duration - if opts.TimeoutSeconds != nil { - timeout = time.Duration(*opts.TimeoutSeconds) * time.Second - } - opts.Watch = true - return c.client.Get(). - Resource("acnpimports"). - VersionedParams(&opts, scheme.ParameterCodec). - Timeout(timeout). - Watch(ctx) -} - -// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *aCNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Post(). - Resource("acnpimports"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(aCNPImport). - Do(ctx). - Into(result) - return -} - -// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *aCNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Put(). - Resource("acnpimports"). - Name(aCNPImport.Name). - VersionedParams(&opts, scheme.ParameterCodec). - Body(aCNPImport). - Do(ctx). - Into(result) - return -} - -// UpdateStatus was generated because the type contains a Status member. -// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). -func (c *aCNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Put(). - Resource("acnpimports"). - Name(aCNPImport.Name). - SubResource("status"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(aCNPImport). - Do(ctx). - Into(result) - return -} - -// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. -func (c *aCNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - return c.client.Delete(). - Resource("acnpimports"). - Name(name). - Body(&opts). - Do(ctx). - Error() -} - -// DeleteCollection deletes a collection of objects. -func (c *aCNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - var timeout time.Duration - if listOpts.TimeoutSeconds != nil { - timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second - } - return c.client.Delete(). - Resource("acnpimports"). - VersionedParams(&listOpts, scheme.ParameterCodec). - Timeout(timeout). - Body(&opts). - Do(ctx). - Error() -} - -// Patch applies the patch and returns the patched aCNPImport. -func (c *aCNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Patch(pt). - Resource("acnpimports"). - Name(name). - SubResource(subresources...). - VersionedParams(&opts, scheme.ParameterCodec). - Body(data). - Do(ctx). - Into(result) - return -} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go deleted file mode 100644 index 5af9bd4660f..00000000000 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go +++ /dev/null @@ -1,132 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" -) - -// FakeACNPImports implements ACNPImportInterface -type FakeACNPImports struct { - Fake *FakeMulticlusterV1alpha1 -} - -var acnpimportsResource = schema.GroupVersionResource{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Resource: "acnpimports"} - -var acnpimportsKind = schema.GroupVersionKind{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Kind: "ACNPImport"} - -// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. -func (c *FakeACNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootGetAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. -func (c *FakeACNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootListAction(acnpimportsResource, acnpimportsKind, opts), &v1alpha1.ACNPImportList{}) - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1alpha1.ACNPImportList{ListMeta: obj.(*v1alpha1.ACNPImportList).ListMeta} - for _, item := range obj.(*v1alpha1.ACNPImportList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested aCNPImports. -func (c *FakeACNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewRootWatchAction(acnpimportsResource, opts)) -} - -// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *FakeACNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootCreateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *FakeACNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootUpdateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// UpdateStatus was generated because the type contains a Status member. -// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). -func (c *FakeACNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) { - obj, err := c.Fake. - Invokes(testing.NewRootUpdateSubresourceAction(acnpimportsResource, "status", aCNPImport), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. -func (c *FakeACNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewRootDeleteAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeACNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - action := testing.NewRootDeleteCollectionAction(acnpimportsResource, listOpts) - - _, err := c.Fake.Invokes(action, &v1alpha1.ACNPImportList{}) - return err -} - -// Patch applies the patch and returns the patched aCNPImport. -func (c *FakeACNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootPatchSubresourceAction(acnpimportsResource, name, pt, data, subresources...), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go index 12b08f2e009..30ac2ac7dae 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go @@ -27,10 +27,6 @@ type FakeMulticlusterV1alpha1 struct { *testing.Fake } -func (c *FakeMulticlusterV1alpha1) ACNPImports() v1alpha1.ACNPImportInterface { - return &FakeACNPImports{c} -} - func (c *FakeMulticlusterV1alpha1) ClusterClaims(namespace string) v1alpha1.ClusterClaimInterface { return &FakeClusterClaims{c, namespace} } diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go index 415b34aa575..f666a0a8999 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go @@ -17,8 +17,6 @@ limitations under the License. package v1alpha1 -type ACNPImportExpansion interface{} - type ClusterClaimExpansion interface{} type ClusterSetExpansion interface{} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go index 5985172b310..e3b1c38e45f 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go @@ -25,7 +25,6 @@ import ( type MulticlusterV1alpha1Interface interface { RESTClient() rest.Interface - ACNPImportsGetter ClusterClaimsGetter ClusterSetsGetter MemberClusterAnnouncesGetter @@ -40,10 +39,6 @@ type MulticlusterV1alpha1Client struct { restClient rest.Interface } -func (c *MulticlusterV1alpha1Client) ACNPImports() ACNPImportInterface { - return newACNPImports(c) -} - func (c *MulticlusterV1alpha1Client) ClusterClaims(namespace string) ClusterClaimInterface { return newClusterClaims(c, namespace) } diff --git a/multicluster/pkg/client/informers/externalversions/generic.go b/multicluster/pkg/client/informers/externalversions/generic.go index f294fc5d9f9..838bedf070a 100644 --- a/multicluster/pkg/client/informers/externalversions/generic.go +++ b/multicluster/pkg/client/informers/externalversions/generic.go @@ -52,8 +52,6 @@ func (f *genericInformer) Lister() cache.GenericLister { func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) { switch resource { // Group=multicluster.crd.antrea.io, Version=v1alpha1 - case v1alpha1.SchemeGroupVersion.WithResource("acnpimports"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ACNPImports().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clusterclaims"): return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ClusterClaims().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clustersets"): diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index 7d04a5f024f..00000000000 --- a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,88 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - time "time" - - multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - versioned "antrea.io/antrea/multicluster/pkg/client/clientset/versioned" - internalinterfaces "antrea.io/antrea/multicluster/pkg/client/informers/externalversions/internalinterfaces" - v1alpha1 "antrea.io/antrea/multicluster/pkg/client/listers/multicluster/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - watch "k8s.io/apimachinery/pkg/watch" - cache "k8s.io/client-go/tools/cache" -) - -// ACNPImportInformer provides access to a shared informer and lister for -// ACNPImports. -type ACNPImportInformer interface { - Informer() cache.SharedIndexInformer - Lister() v1alpha1.ACNPImportLister -} - -type aCNPImportInformer struct { - factory internalinterfaces.SharedInformerFactory - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// NewACNPImportInformer constructs a new informer for ACNPImport type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { - return NewFilteredACNPImportInformer(client, resyncPeriod, indexers, nil) -} - -// NewFilteredACNPImportInformer constructs a new informer for ACNPImport type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewFilteredACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { - return cache.NewSharedIndexInformer( - &cache.ListWatch{ - ListFunc: func(options v1.ListOptions) (runtime.Object, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.MulticlusterV1alpha1().ACNPImports().List(context.TODO(), options) - }, - WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.MulticlusterV1alpha1().ACNPImports().Watch(context.TODO(), options) - }, - }, - &multiclusterv1alpha1.ACNPImport{}, - resyncPeriod, - indexers, - ) -} - -func (f *aCNPImportInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { - return NewFilteredACNPImportInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) -} - -func (f *aCNPImportInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&multiclusterv1alpha1.ACNPImport{}, f.defaultInformer) -} - -func (f *aCNPImportInformer) Lister() v1alpha1.ACNPImportLister { - return v1alpha1.NewACNPImportLister(f.Informer().GetIndexer()) -} diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go index 3752d69c273..ff4c3100c97 100644 --- a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go +++ b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go @@ -23,8 +23,6 @@ import ( // Interface provides access to all the informers in this group version. type Interface interface { - // ACNPImports returns a ACNPImportInformer. - ACNPImports() ACNPImportInformer // ClusterClaims returns a ClusterClaimInformer. ClusterClaims() ClusterClaimInformer // ClusterSets returns a ClusterSetInformer. @@ -52,11 +50,6 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} } -// ACNPImports returns a ACNPImportInformer. -func (v *version) ACNPImports() ACNPImportInformer { - return &aCNPImportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} -} - // ClusterClaims returns a ClusterClaimInformer. func (v *version) ClusterClaims() ClusterClaimInformer { return &clusterClaimInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index 0c8602e79de..00000000000 --- a/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// ACNPImportLister helps list ACNPImports. -// All objects returned here must be treated as read-only. -type ACNPImportLister interface { - // List lists all ACNPImports in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) - // Get retrieves the ACNPImport from the index for a given name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.ACNPImport, error) - ACNPImportListerExpansion -} - -// aCNPImportLister implements the ACNPImportLister interface. -type aCNPImportLister struct { - indexer cache.Indexer -} - -// NewACNPImportLister returns a new ACNPImportLister. -func NewACNPImportLister(indexer cache.Indexer) ACNPImportLister { - return &aCNPImportLister{indexer: indexer} -} - -// List lists all ACNPImports in the indexer. -func (s *aCNPImportLister) List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.ACNPImport)) - }) - return ret, err -} - -// Get retrieves the ACNPImport from the index for a given name. -func (s *aCNPImportLister) Get(name string) (*v1alpha1.ACNPImport, error) { - obj, exists, err := s.indexer.GetByKey(name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("acnpimport"), name) - } - return obj.(*v1alpha1.ACNPImport), nil -} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go index 1bad923a226..80cd468ef4e 100644 --- a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go +++ b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go @@ -17,10 +17,6 @@ limitations under the License. package v1alpha1 -// ACNPImportListerExpansion allows custom methods to be added to -// ACNPImportLister. -type ACNPImportListerExpansion interface{} - // ClusterClaimListerExpansion allows custom methods to be added to // ClusterClaimLister. type ClusterClaimListerExpansion interface{} From 66c6c103e8b5cb02e70037dcb8ad02b93d94d9d6 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Tue, 8 Mar 2022 14:15:40 -0800 Subject: [PATCH 6/7] Address more comments and add logic in stale controller Signed-off-by: Yang Ding --- docs/multicluster/architecture.md | 98 +++---------------- docs/multicluster/getting-started.md | 85 ++++++++++++++++ multicluster/Makefile | 2 +- .../acnp_resourceimport_controller.go | 90 +++++++++-------- .../acnp_resourceimport_controller_test.go | 12 ++- .../multicluster/resourceexport_controller.go | 4 +- .../multicluster/stale_controller.go | 63 +++++++++--- .../multicluster/stale_controller_test.go | 92 +++++++++++++++++ .../controllers/multicluster/test_data.go | 2 + 9 files changed, 304 insertions(+), 144 deletions(-) diff --git a/docs/multicluster/architecture.md b/docs/multicluster/architecture.md index ed4726ebe75..dee62cea984 100644 --- a/docs/multicluster/architecture.md +++ b/docs/multicluster/architecture.md @@ -90,88 +90,16 @@ IPs from all member clusters. The new created Antrea Multi-cluster Service is ju Kubernetes Service, so Pods in a member cluster can access the multi-cluster Service as usual without any extra setting. -## Multi-cluster ClusterNetworkPolicy Replication (ACNP Copy-span) - -Antrea Multi-cluster admins can specify certain ClusterNetworkPolicies to be replicated across -the entire ClusterSet. This is especially useful for ClusterSet admins who want all clusters in the -ClusterSet to be applied with a consistent security posture (for example, all namespaces in all -clusters can only communicate with Pods in their own namespaces). For more information regarding -Antrea ClusterNetworkPolicy(ACNP), refer to [this document](../antrea-network-policy.md). - -To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment, -create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains the ClusterNetworkPolicy spec -they wish to be replicated. The ResourceExport should be created in the Namespace which implements the -Common Area of the ClusterSet. In future releases, some additional tooling may become available to -automate the creation of such ResourceExport and make ACNP replication across cluster eaiser. - -```yaml -apiVersion: multicluster.crd.antrea.io/v1alpha1 -kind: ResourceExport -metadata: - name: strict-namespace-isolation-for-test-clusterset - namespace: antrea-mcs-ns # Namespace that implements Common Area of test-clusterset -spec: - kind: AntreaClusterNetworkPolicy - name: strict-namespace-isolation # In each importing cluster, an ACNP of name antrea-mc-strict-namespace-isolation will be created with the spec below - clusternetworkpolicy: - priority: 1 - tier: securityops - appliedTo: - - namespaceSelector: {} # Selects all Namespaces in the member cluster - ingress: - - action: Pass - from: - - namespaces: - match: Self # Skip drop rule for traffic from Pods in the same Namespace - - podSelector: - matchLabels: - k8s-app: kube-dns # Skip drop rule for traffic from the core-dns components - - action: Drop - from: - - namespaceSelector: {} # Drop from Pods from all other Namespaces -``` - -The above sample spec will create an ACNP in each member cluster which implements strict namespace -isolation for that cluster. - -Note that because the Tier that an ACNP refers to must exist before the ACNP is applied, an importing -cluster may fail to create the ACNP to be replicated, if the tier in the ResourceExport spec cannot be -found in that particular cluster. The ACNP creation status of each member cluster will be reported back -to the Common Area as K8s Events, and can be checked by describing the ResourceImport of the original -ResourceExport: - -```text -kubectl describe resourceimport -A ---- -Name: strict-namespace-isolation-antreaclusternetworkpolicy -Namespace: antrea-mcs-ns -API Version: multicluster.crd.antrea.io/v1alpha1 -Kind: ResourceImport -Spec: - Clusternetworkpolicy: - Applied To: - Namespace Selector: - Ingress: - Action: Pass - Enable Logging: false - From: - Namespaces: - Match: Self - Pod Selector: - Match Labels: - k8s-app: kube-dns - Action: Drop - Enable Logging: false - From: - Namespace Selector: - Priority: 1 - Tier: random - Kind: AntreaClusterNetworkPolicy - Name: strict-namespace-isolation - ... -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal ACNPImportSucceeded 2m11s resourceimport-controller ACNP successfully created in the importing cluster test-cluster-east - Warning ACNPImportFailed 2m11s resourceimport-controller ACNP Tier does not exist in the importing cluster test-cluster-west -``` +## Antrea Multi-cluster policy enforcement + +At this moment, Antrea does not support Pod-level policy enforcement for cross-cluster traffic. Access +towards Multi-cluster Services can be regulated with Antrea ClusterNetworkPolicy `toService` rules. In +each member cluster, users can create an Antrea ClusterNetworkPolicy selecting Pods in that cluster, with +the imported Mutli-cluster Service name and Namespace in an egress `toService` rule, and the Action to +take for traffic matching this rule. For more information regarding Antrea ClusterNetworkPolicy (ACNP), +refer to [this document](../antrea-network-policy.md). + +Multi-cluster admins can also specify certain ClusterNetworkPolicies to be replicated across the entire +ClusterSet. The ACNP to be replicated should be created as a ResourceExport in the leader cluster, and +the resource export/import pipeline will ensure member clusters receive this ACNP spec to be replicated. +Each member cluster's Multi-cluster Controller will then create an ACNP in their respective clusters. diff --git a/docs/multicluster/getting-started.md b/docs/multicluster/getting-started.md index 87081a2e284..df5c280ffac 100644 --- a/docs/multicluster/getting-started.md +++ b/docs/multicluster/getting-started.md @@ -412,6 +412,91 @@ ResourceExport into the corresponding ResourceImport until users correct it. due to forementioned mismatch issue, Antrea Multi-cluster Controller will also skip converging the corresponding Endpoints ResourceExport until users correct it. +## Multi-cluster ClusterNetworkPolicy Replication + +Since Antrea v1.6.0, Multi-cluster admins can specify certain ClusterNetworkPolicies to be replicated +across the entire ClusterSet. This is especially useful for ClusterSet admins who want all clusters in +the ClusterSet to be applied with a consistent security posture (for example, all Namespaces in all +clusters can only communicate with Pods in their own namespaces). For more information regarding +Antrea ClusterNetworkPolicy (ACNP), refer to [this document](../antrea-network-policy.md). + +To achieve such ACNP copy-span replication across clusters, admins can, in the acting leader cluster of +a Multi-cluster deployment, create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains +the ClusterNetworkPolicy spec they wish to be replicated. The ResourceExport should be created in the +Namespace which implements the Common Area of the ClusterSet. In future releases, some additional tooling +may become available to automate the creation of such ResourceExport and make ACNP replication easier. + +```yaml +apiVersion: multicluster.crd.antrea.io/v1alpha1 +kind: ResourceExport +metadata: + name: strict-namespace-isolation-for-test-clusterset + namespace: antrea-mcs-ns # Namespace that implements Common Area of test-clusterset +spec: + kind: AntreaClusterNetworkPolicy + name: strict-namespace-isolation # In each importing cluster, an ACNP of name antrea-mc-strict-namespace-isolation will be created with the spec below + clusternetworkpolicy: + priority: 1 + tier: securityops + appliedTo: + - namespaceSelector: {} # Selects all Namespaces in the member cluster + ingress: + - action: Pass + from: + - namespaces: + match: Self # Skip drop rule for traffic from Pods in the same Namespace + - podSelector: + matchLabels: + k8s-app: kube-dns # Skip drop rule for traffic from the core-dns components + - action: Drop + from: + - namespaceSelector: {} # Drop from Pods from all other Namespaces +``` + +The above sample spec will create an ACNP in each member cluster which implements strict namespace +isolation for that cluster. + +Note that because the Tier that an ACNP refers to must exist before the ACNP is applied, an importing +cluster may fail to create the ACNP to be replicated, if the Tier in the ResourceExport spec cannot be +found in that particular cluster. If there are such failures, the ACNP creation status of failed member +clusters will be reported back to the Common Area as K8s Events, and can be checked by describing the +ResourceImport of the original ResourceExport: + +```text +kubectl describe resourceimport -A +--- +Name: strict-namespace-isolation-antreaclusternetworkpolicy +Namespace: antrea-mcs-ns +API Version: multicluster.crd.antrea.io/v1alpha1 +Kind: ResourceImport +Spec: + Clusternetworkpolicy: + Applied To: + Namespace Selector: + Ingress: + Action: Pass + Enable Logging: false + From: + Namespaces: + Match: Self + Pod Selector: + Match Labels: + k8s-app: kube-dns + Action: Drop + Enable Logging: false + From: + Namespace Selector: + Priority: 1 + Tier: random + Kind: AntreaClusterNetworkPolicy + Name: strict-namespace-isolation + ... +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Warning ACNPImportFailed 2m11s resourceimport-controller ACNP Tier random does not exist in the importing cluster test-cluster-west +``` + ## Known Issue We recommend user to reinstall or update Antrea Multi-cluster controllers through `kubectl apply`. diff --git a/multicluster/Makefile b/multicluster/Makefile index 1a4b8dbb474..c958326194c 100644 --- a/multicluster/Makefile +++ b/multicluster/Makefile @@ -1,7 +1,7 @@ # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) # For controller-gen, float value is not allowed by default as it is considered dangerous # See https://github.com/kubernetes-sigs/controller-tools/issues/245 -# However the ResourceExport/Import refers to ACNP type definition and the priority field in ACNP spec is of type float64. +# However the ResourceExport/Import refers to ACNP type definition and the priority field in ACNP spec is type float64. # Hence, before any ACNP spec bumps that changes the priorty field to a different type, # the allowDangerousTypes flag is needed for CRD manifests to generate correctly. CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true,preserveUnknownFields=false" diff --git a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go index d8d09c7693a..661a7f66e37 100644 --- a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go @@ -16,6 +16,7 @@ package commonarea import ( "context" "errors" + "fmt" "math/rand" corev1 "k8s.io/api/core/v1" @@ -35,7 +36,6 @@ import ( const ( nameSuffixLength int = 5 acnpImportStatusPrefix string = "acnp-import-status-" - acnpImportSucceeded string = "ACNPImportSucceeded" acnpImportFailed string = "ACNPImportFailed" ) @@ -64,9 +64,10 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx } if !acnpNotFound { if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; !ok { - err := errors.New("unable to import Antrea ClusterNetworkPolicy which conflicts with existing one") + msg := "Unable to import Antrea ClusterNetworkPolicy which conflicts with existing one in cluster " + r.localClusterID + err := errors.New(msg) klog.ErrorS(err, "", "acnp", klog.KObj(acnp)) - return ctrl.Result{}, err + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } } acnpObj := getMCAntreaClusterPolicy(resImp) @@ -78,55 +79,30 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx // Create or update the ACNP if necessary. if acnpNotFound { if err = r.localClusterClient.Create(ctx, acnpObj, &client.CreateOptions{}); err != nil { - klog.ErrorS(err, "failed to create imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err + msg := "Failed to create imported Antrea ClusterNetworkPolicy in cluster " + r.localClusterID + klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } + r.installedResImports.Add(*resImp) } else if !apiequality.Semantic.DeepEqual(acnp.Spec, acnpObj.Spec) { acnp.Spec = acnpObj.Spec if err = r.localClusterClient.Update(ctx, acnp, &client.UpdateOptions{}); err != nil { - klog.ErrorS(err, "failed to update imported Antrea ClusterNetworkPolicy", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err + msg := "Failed to update imported Antrea ClusterNetworkPolicy in cluster " + r.localClusterID + klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } } } else if tierNotFound && !acnpNotFound { // The ACNP Tier does not exist, and the policy cannot be realized in this particular importing member cluster. // If there is an ACNP previously created via import (which has a valid Tier by then), it should be cleaned up. if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { - klog.ErrorS(err, "failed to delete imported Antrea ClusterNetworkPolicy that no longer has a valid Tier for the current cluster", "acnp", klog.KObj(acnpObj)) - return ctrl.Result{}, err + msg := "Failed to delete imported Antrea ClusterNetworkPolicy that no longer has a valid Tier for cluster " + r.localClusterID + klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } - } - - statusEvent := &corev1.Event{ - ObjectMeta: metav1.ObjectMeta{ - Name: randName(acnpImportStatusPrefix + r.localClusterID + "-"), - Namespace: resImp.Namespace, - }, - InvolvedObject: corev1.ObjectReference{ - APIVersion: resourceImportAPIVersion, - Kind: resourceImportKind, - Name: resImp.Name, - Namespace: resImp.Namespace, - UID: resImp.GetUID(), - }, - FirstTimestamp: metav1.Now(), - LastTimestamp: metav1.Now(), - ReportingController: acnpEventReportingController, - ReportingInstance: acnpEventReportingInstance, - Action: "reconciled", - } - if tierNotFound { - statusEvent.Type = corev1.EventTypeWarning - statusEvent.Reason = acnpImportFailed - statusEvent.Message = "ACNP Tier does not exist in the importing cluster " + r.localClusterID - } else { - statusEvent.Type = corev1.EventTypeNormal - statusEvent.Reason = acnpImportSucceeded - statusEvent.Message = "ACNP successfully created in the importing cluster " + r.localClusterID - } - if err = r.remoteCommonArea.Create(ctx, statusEvent, &client.CreateOptions{}); err != nil { - klog.ErrorS(err, "failed to create acnp import event for resourceimport", "resImp", klog.KObj(resImp)) - return ctrl.Result{}, err + } else if tierNotFound { + msg := fmt.Sprintf("ACNP Tier %s does not exist in importing cluster %s", tierName, r.localClusterID) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } return ctrl.Result{}, nil } @@ -170,6 +146,38 @@ func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1al } } +func (r *ResourceImportReconciler) reportStatusEvent(errMsg string, ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) error { + if errMsg == "" { + return nil + } + statusEvent := &corev1.Event{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(acnpImportStatusPrefix + r.localClusterID + "-"), + Namespace: resImp.Namespace, + }, + Type: corev1.EventTypeWarning, + Reason: acnpImportFailed, + Message: errMsg, + InvolvedObject: corev1.ObjectReference{ + APIVersion: resourceImportAPIVersion, + Kind: resourceImportKind, + Name: resImp.Name, + Namespace: resImp.Namespace, + UID: resImp.GetUID(), + }, + FirstTimestamp: metav1.Now(), + LastTimestamp: metav1.Now(), + ReportingController: acnpEventReportingController, + ReportingInstance: acnpEventReportingInstance, + Action: "synced", + } + if err := r.remoteCommonArea.Create(ctx, statusEvent, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "Failed to create ACNP import event for ResourceImport", "resImp", klog.KObj(resImp)) + return err + } + return nil +} + func randSeq(n int) string { b := make([]rune, n) for i := range b { diff --git a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go index 9304c2cfa95..e9b420b4937 100644 --- a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go @@ -21,10 +21,12 @@ import ( "testing" "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/fake" mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" @@ -147,7 +149,15 @@ func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) } - //TODO(yang): add Event creation tests + if !tt.expectedSuccess { + errorList := &corev1.EventList{} + if err := fakeRemoteClient.List(ctx, errorList, &client.ListOptions{}); err != nil { + t.Errorf("Failed to list Events in remote Common Area") + } + if len(errorList.Items) == 0 { + t.Errorf("An event should be created for failed ACNP imports") + } + } } }) } diff --git a/multicluster/controllers/multicluster/resourceexport_controller.go b/multicluster/controllers/multicluster/resourceexport_controller.go index 73bbcd438b4..79e5a170ab1 100644 --- a/multicluster/controllers/multicluster/resourceexport_controller.go +++ b/multicluster/controllers/multicluster/resourceexport_controller.go @@ -372,7 +372,7 @@ func (r *ResourceExportReconciler) refreshEndpointsResourceImport( var newSubsets []corev1.EndpointSubset undeleteItems, err := r.getNotDeletedResourceExports(resExport) if err != nil { - klog.ErrorS(err, "failed to list ResourceExports, retry later") + klog.ErrorS(err, "Failed to list ResourceExports, retry later") return newResImport, false, err } for _, re := range undeleteItems { @@ -400,7 +400,7 @@ func (r *ResourceExportReconciler) refreshACNPResourceImport( if !apiequality.Semantic.DeepEqual(resExport.Spec.ClusterNetworkPolicy, resImport.Spec.ClusterNetworkPolicy) { undeletedItems, err := r.getNotDeletedResourceExports(resExport) if err != nil { - klog.ErrorS(err, "failed to list ResourceExports for ACNP, retry later") + klog.ErrorS(err, "Failed to list ResourceExports for ACNP, retry later") return newResImport, false, err } if len(undeletedItems) == 1 && undeletedItems[0].Name == resExport.Name && undeletedItems[0].Namespace == resExport.Namespace { diff --git a/multicluster/controllers/multicluster/stale_controller.go b/multicluster/controllers/multicluster/stale_controller.go index 705593b4cf5..fa03147339c 100644 --- a/multicluster/controllers/multicluster/stale_controller.go +++ b/multicluster/controllers/multicluster/stale_controller.go @@ -33,6 +33,7 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) // StaleController will clean up ServiceImport and MC Service if no corresponding ResourceImport @@ -68,17 +69,29 @@ func (c *StaleController) cleanup() error { if *c.remoteCommonAreaManager == nil { return errors.New("ClusterSet has not been initialized properly, no available remote common area") } - remoteCluster, err := getRemoteCommonArea(c.remoteCommonAreaManager) if err != nil { return err } - localClusterID := string((*c.remoteCommonAreaManager).GetLocalClusterID()) if len(localClusterID) == 0 { return errors.New("localClusterID is not initialized, retry later") } + resImpList := &mcsv1alpha1.ResourceImportList{} + if err := remoteCluster.List(ctx, resImpList, &client.ListOptions{Namespace: remoteCluster.GetNamespace()}); err != nil { + return err + } + if err := c.cleanupStaleServiceResources(remoteCluster, localClusterID, resImpList); err != nil { + return err + } + if err := c.cleanupACNPResources(resImpList); err != nil { + return err + } + return nil +} +func (c *StaleController) cleanupStaleServiceResources(remoteCluster commonarea.RemoteCommonArea, + localClusterID string, resImpList *mcsv1alpha1.ResourceImportList) error { svcImpList := &k8smcsv1alpha1.ServiceImportList{} if err := c.List(ctx, svcImpList, &client.ListOptions{}); err != nil { return err @@ -89,11 +102,6 @@ func (c *StaleController) cleanup() error { return err } - resImpList := &mcsv1alpha1.ResourceImportList{} - if err := remoteCluster.List(ctx, resImpList, &client.ListOptions{Namespace: remoteCluster.GetNamespace()}); err != nil { - return err - } - svcImpItems := svcImpList.Items var mcsSvcItems []corev1.Service for _, svc := range svcList.Items { @@ -104,12 +112,11 @@ func (c *StaleController) cleanup() error { for _, resImp := range resImpList.Items { for k, svc := range mcsSvcItems { - if svc.Name == common.AntreaMCSPrefix+resImp.Spec.Name && svc.Namespace == resImp.Spec.Namespace { + if resImp.Spec.Kind == common.ServiceKind && svc.Name == common.AntreaMCSPrefix+resImp.Spec.Name && svc.Namespace == resImp.Spec.Namespace { // Set the valid Service item as empty Service, then all left non-empty items should be removed. mcsSvcItems[k] = corev1.Service{} } } - for n, svcImp := range svcImpItems { if svcImp.Name == resImp.Spec.Name && svcImp.Namespace == resImp.Spec.Namespace { svcImpItems[n] = k8smcsv1alpha1.ServiceImport{} @@ -120,18 +127,17 @@ func (c *StaleController) cleanup() error { for _, svc := range mcsSvcItems { s := svc if s.Name != "" { - klog.InfoS("clean up Service", "service", klog.KObj(&s)) + klog.InfoS("Cleaning up stale Service", "service", klog.KObj(&s)) if err := c.Client.Delete(ctx, &s, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return err } } } - for _, svcImp := range svcImpItems { si := svcImp if si.Name != "" { - klog.InfoS("clean up ServiceImport", "serviceimport", klog.KObj(&si)) - if err = c.Client.Delete(ctx, &si, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { + klog.InfoS("Cleaning up stale ServiceImport", "serviceimport", klog.KObj(&si)) + if err := c.Client.Delete(ctx, &si, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return err } } @@ -167,7 +173,7 @@ func (c *StaleController) cleanup() error { for _, r := range resExpItems { re := r if re.Name != "" { - klog.InfoS("clean up ResourceExport", "ResourceExport", klog.KObj(&re)) + klog.InfoS("Cleaning up ResourceExport", "ResourceExport", klog.KObj(&re)) if err := remoteCluster.Delete(ctx, &re, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return err } @@ -176,6 +182,35 @@ func (c *StaleController) cleanup() error { return nil } +func (c *StaleController) cleanupACNPResources(resImpList *mcsv1alpha1.ResourceImportList) error { + acnpList := &crdv1alpha1.ClusterNetworkPolicyList{} + if err := c.List(ctx, acnpList, &client.ListOptions{}); err != nil { + return err + } + staleMCACNPItems := map[string]crdv1alpha1.ClusterNetworkPolicy{} + for _, acnp := range acnpList.Items { + if _, ok := acnp.Annotations[common.AntreaMCACNPAnnotation]; ok { + staleMCACNPItems[acnp.Name] = acnp + } + } + for _, resImp := range resImpList.Items { + if resImp.Spec.Kind == common.AntreaClusterNetworkPolicyKind { + acnpNameFromResImp := common.AntreaMCSPrefix + resImp.Spec.Name + if _, ok := staleMCACNPItems[acnpNameFromResImp]; ok { + delete(staleMCACNPItems, acnpNameFromResImp) + } + } + } + for _, stalePolicy := range staleMCACNPItems { + acnp := stalePolicy + klog.InfoS("Cleaning up stale ACNP", "acnp", klog.KObj(&acnp)) + if err := c.Client.Delete(ctx, &acnp, &client.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { + return err + } + } + return nil +} + // Enqueue will be called after StaleController is initialized. func (c *StaleController) Enqueue() { // The key can be anything as we only have single item. diff --git a/multicluster/controllers/multicluster/stale_controller_test.go b/multicluster/controllers/multicluster/stale_controller_test.go index eacc0dd66f9..6d401863ce0 100644 --- a/multicluster/controllers/multicluster/stale_controller_test.go +++ b/multicluster/controllers/multicluster/stale_controller_test.go @@ -22,6 +22,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -30,9 +31,11 @@ import ( mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" "antrea.io/antrea/multicluster/controllers/multicluster/common" "antrea.io/antrea/multicluster/controllers/multicluster/commonarea" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) func TestStaleController_CleanupService(t *testing.T) { + localClusterID = "cluster-a" remoteMgr := commonarea.NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) go remoteMgr.Start() @@ -62,6 +65,7 @@ func TestStaleController_CleanupService(t *testing.T) { Spec: mcsv1alpha1.ResourceImportSpec{ Name: "non-nginx", Namespace: "default", + Kind: common.ServiceKind, }, } tests := []struct { @@ -123,6 +127,94 @@ func TestStaleController_CleanupService(t *testing.T) { } } +func TestStaleController_CleanupACNP(t *testing.T) { + localClusterID = "cluster-a" + remoteMgr := commonarea.NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) + go remoteMgr.Start() + + acnpImportName := "acnp-for-isolation" + acnpResImportName := leaderNamespace + "-" + acnpImportName + acnpResImport := mcsv1alpha1.ResourceImport{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + Name: acnpResImportName, + }, + Spec: mcsv1alpha1.ResourceImportSpec{ + Name: acnpImportName, + Kind: common.AntreaClusterNetworkPolicyKind, + ClusterNetworkPolicy: &v1alpha1.ClusterNetworkPolicySpec{ + Tier: "securityops", + Priority: 1.0, + AppliedTo: []v1alpha1.NetworkPolicyPeer{ + {NamespaceSelector: &metav1.LabelSelector{}}, + }, + }, + }, + } + acnp1 := v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + acnpImportName, + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + } + acnp2 := v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: common.AntreaMCSPrefix + "some-deleted-resimp", + Annotations: map[string]string{common.AntreaMCACNPAnnotation: "true"}, + }, + } + acnp3 := v1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "non-mcs-acnp", + }, + } + tests := []struct { + name string + existingACNPList *v1alpha1.ClusterNetworkPolicyList + existResImpList *mcsv1alpha1.ResourceImportList + expectedACNPRemaining sets.String + }{ + { + name: "cleanup stale ACNP", + existingACNPList: &v1alpha1.ClusterNetworkPolicyList{ + Items: []v1alpha1.ClusterNetworkPolicy{ + acnp1, acnp2, acnp3, + }, + }, + existResImpList: &mcsv1alpha1.ResourceImportList{ + Items: []mcsv1alpha1.ResourceImport{ + acnpResImport, + }, + }, + expectedACNPRemaining: sets.NewString(common.AntreaMCSPrefix+acnpImportName, "non-mcs-acnp"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingACNPList).Build() + fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existResImpList).Build() + _ = commonarea.NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") + + c := NewStaleController(fakeClient, scheme, &remoteMgr) + if err := c.cleanup(); err != nil { + t.Errorf("StaleController.cleanup() should clean up all stale ACNPs but got err = %v", err) + } + ctx := context.TODO() + acnpList := &v1alpha1.ClusterNetworkPolicyList{} + if err := fakeClient.List(ctx, acnpList, &client.ListOptions{}); err != nil { + t.Errorf("Error when listing the ACNPs after cleanup") + } + acnpRemaining := sets.NewString() + for _, acnp := range acnpList.Items { + acnpRemaining.Insert(acnp.Name) + } + if !acnpRemaining.Equal(tt.expectedACNPRemaining) { + t.Errorf("Unexpected stale ACNP cleanup result. Expected: %v, Actual: %v", tt.expectedACNPRemaining, acnpRemaining) + } + }) + } +} + func TestStaleController_CleanupResourceExport(t *testing.T) { localClusterID = "cluster-a" remoteMgr := commonarea.NewRemoteCommonAreaManager("test-clusterset", common.ClusterID(localClusterID)) diff --git a/multicluster/controllers/multicluster/test_data.go b/multicluster/controllers/multicluster/test_data.go index e8683da85cf..160db53e4c8 100644 --- a/multicluster/controllers/multicluster/test_data.go +++ b/multicluster/controllers/multicluster/test_data.go @@ -29,6 +29,7 @@ import ( k8smcsapi "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" mcsv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) var ( @@ -115,4 +116,5 @@ func init() { utilruntime.Must(mcsv1alpha1.AddToScheme(scheme)) utilruntime.Must(k8smcsapi.AddToScheme(scheme)) utilruntime.Must(k8sscheme.AddToScheme(scheme)) + utilruntime.Must(crdv1alpha1.AddToScheme(scheme)) } From 298292089321870c8f8c6d04fc3466459f4f4fb2 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Fri, 18 Mar 2022 12:04:27 -0700 Subject: [PATCH 7/7] Address final comments Signed-off-by: Yang Ding --- docs/multicluster/getting-started.md | 4 +- .../antrea-multicluster-leader-namespaced.yml | 18 ------- .../yamls/antrea-multicluster-member.yml | 4 -- .../leader-ns/member_cluster_role.yaml | 4 -- multicluster/config/rbac/role.yaml | 4 -- .../acnp_resourceimport_controller.go | 48 ++++++------------- .../commonarea/resourceimport_controller.go | 2 +- 7 files changed, 17 insertions(+), 67 deletions(-) diff --git a/docs/multicluster/getting-started.md b/docs/multicluster/getting-started.md index df5c280ffac..d9d42cf9b12 100644 --- a/docs/multicluster/getting-started.md +++ b/docs/multicluster/getting-started.md @@ -420,8 +420,8 @@ the ClusterSet to be applied with a consistent security posture (for example, al clusters can only communicate with Pods in their own namespaces). For more information regarding Antrea ClusterNetworkPolicy (ACNP), refer to [this document](../antrea-network-policy.md). -To achieve such ACNP copy-span replication across clusters, admins can, in the acting leader cluster of -a Multi-cluster deployment, create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains +To achieve such ACNP replication across clusters, admins can, in the acting leader cluster of a +Multi-cluster deployment, create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains the ClusterNetworkPolicy spec they wish to be replicated. The ResourceExport should be created in the Namespace which implements the Common Area of the ClusterSet. In future releases, some additional tooling may become available to automate the creation of such ResourceExport and make ACNP replication easier. diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index 0d82029de18..3b86f1926fd 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -39,10 +39,6 @@ rules: - events verbs: - create - - get - - list - - patch - - update - apiGroups: - "" resources: @@ -352,20 +348,6 @@ rules: - events verbs: - create - - get - - list - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 68bf62344a4..54e526df71a 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -5282,10 +5282,6 @@ rules: - events verbs: - create - - get - - list - - patch - - update - apiGroups: - "" resources: diff --git a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml index 0357f3f2131..b55887be4de 100644 --- a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml +++ b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml @@ -12,10 +12,6 @@ rules: - events verbs: - create - - get - - list - - patch - - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/config/rbac/role.yaml b/multicluster/config/rbac/role.yaml index d471b756f65..d5f02c7eea3 100644 --- a/multicluster/config/rbac/role.yaml +++ b/multicluster/config/rbac/role.yaml @@ -24,10 +24,6 @@ rules: - events verbs: - create - - get - - list - - patch - - update - apiGroups: - "" resources: diff --git a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go index 661a7f66e37..2e8b3ccea3e 100644 --- a/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go @@ -17,7 +17,6 @@ import ( "context" "errors" "fmt" - "math/rand" corev1 "k8s.io/api/core/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" @@ -33,11 +32,7 @@ import ( "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) -const ( - nameSuffixLength int = 5 - acnpImportStatusPrefix string = "acnp-import-status-" - acnpImportFailed string = "ACNPImportFailed" -) +const acnpImportFailed string = "ACNPImportFailed" var ( resourceImportAPIVersion = "multicluster.crd.antrea.io/v1alpha1" @@ -45,7 +40,6 @@ var ( acnpEventReportingController = "resourceimport-controller" // TODO(yang): add run-time pod suffix acnpEventReportingInstance = "antrea-mc-controller" - lettersAndDigits = []rune("abcdefghijklmnopqrstuvwxyz0123456789") ) func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { @@ -71,9 +65,14 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx } } acnpObj := getMCAntreaClusterPolicy(resImp) - tierKind, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier - err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierKind) + tierObj, tierName := &v1alpha1.Tier{}, acnpObj.Spec.Tier + err = r.localClusterClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tierName}, tierObj) tierNotFound := apierrors.IsNotFound(err) + if err != nil && !tierNotFound { + msg := fmt.Sprintf("Failed to get Tier %s in member cluster %s", tierName, r.localClusterID) + return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + } + tierNotFoundMsg := fmt.Sprintf("ACNP Tier %s does not exist in importing cluster %s", tierName, r.localClusterID) if !tierNotFound { // If the ACNP Tier exists in the importing member cluster, then the policy is realizable. // Create or update the ACNP if necessary. @@ -92,7 +91,7 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } } - } else if tierNotFound && !acnpNotFound { + } else if !acnpNotFound { // The ACNP Tier does not exist, and the policy cannot be realized in this particular importing member cluster. // If there is an ACNP previously created via import (which has a valid Tier by then), it should be cleaned up. if err = r.localClusterClient.Delete(ctx, acnpObj, &client.DeleteOptions{}); err != nil { @@ -100,9 +99,9 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx klog.ErrorS(err, msg, "acnp", klog.KObj(acnpObj)) return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) } - } else if tierNotFound { - msg := fmt.Sprintf("ACNP Tier %s does not exist in importing cluster %s", tierName, r.localClusterID) - return ctrl.Result{}, r.reportStatusEvent(msg, ctx, resImp) + return ctrl.Result{}, r.reportStatusEvent(tierNotFoundMsg, ctx, resImp) + } else { + return ctrl.Result{}, r.reportStatusEvent(tierNotFoundMsg, ctx, resImp) } return ctrl.Result{}, nil } @@ -132,9 +131,6 @@ func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx } func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { - if resImp.Spec.ClusterNetworkPolicy == nil { - return nil - } return &v1alpha1.ClusterNetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: common.AntreaMCSPrefix + resImp.Spec.Name, @@ -147,12 +143,10 @@ func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1al } func (r *ResourceImportReconciler) reportStatusEvent(errMsg string, ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) error { - if errMsg == "" { - return nil - } + t := metav1.Now() statusEvent := &corev1.Event{ ObjectMeta: metav1.ObjectMeta{ - Name: randName(acnpImportStatusPrefix + r.localClusterID + "-"), + Name: fmt.Sprintf("%v.%x", resImp.Name, t.UnixNano()), Namespace: resImp.Namespace, }, Type: corev1.EventTypeWarning, @@ -177,17 +171,3 @@ func (r *ResourceImportReconciler) reportStatusEvent(errMsg string, ctx context. } return nil } - -func randSeq(n int) string { - b := make([]rune, n) - for i := range b { - // #nosec G404: random number generator not used for security purposes - randIdx := rand.Intn(len(lettersAndDigits)) - b[i] = lettersAndDigits[randIdx] - } - return string(b) -} - -func randName(prefix string) string { - return prefix + randSeq(nameSuffixLength) -} diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index 9d6b0c08abc..5a2d0b816c1 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -86,7 +86,7 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch;update;create;patch;delete //+kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;create;patch;delete -//+kubebuilder:rbac:groups="",resources=events,verbs=get;list;update;create;patch +//+kubebuilder:rbac:groups="",resources=events,verbs=create // Reconcile will attempt to ensure that the imported Resource is installed in local cluster as per the // ResourceImport object.